gdb cracking && cryptanalysis CTF

Question

hello guys i am playing CTF and i have to crack a program to get shell the source code is :

/*
* gcc ch21.c -lcrypt -o ch21
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <crypt.h>
#include <sys/types.h>
#include <unistd.h>

int main (int argc, char *argv[]) {
char pid[16];
char *args[] = { "/bin/bash", "-p", 0 };

snprintf(pid, sizeof(pid), "%i", getpid());
if (argc != 2)
    return 0;

printf("%s=%s",argv[1], crypt(pid, "$1$awesome"));

if (strcmp(argv[1], crypt(pid, "$1$awesome")) == 0) {
    printf("WIN!\n");
execve(args[0], &args[0], NULL);

} else {
    printf("Fail... :/\n");
}
return 0;
}

now i debugged it with gdb as i understood from the source i have to enter proccessid (PID) during runtime to get successful shell with GDB-PEDA i have tried getpid during breakpoint but how to continue with proccess id with gdb only run command pass input to the program any help !

any notify !

score 1 · Accepted Answer · answered Mar 12 '18 at 21:28

Not sure if I understood your question correctly, but PID is limited in range and cycle when there limit is reached and the max is usually around 2^15. You could simply run a loop that would run through the potential PID to match the one that will be assigned for the process.

Something like this would do:

import os, crypt, subprocess

pid = os.getpid()+50 #safe buffer for things created after python script was started
print "Selected: ",pid
for i in range(32768):
    sp = subprocess.Popen(['./ch21', crypt.crypt(str(pid), "$1$awesome")], stdout=subprocess.PIPE)
    output = sp.stdout.readline()
    if "Fail" not in output:
            print output
            break

Thank you a lot man I will try it in the ssh server hope it will work — mahmoudadel, Mar 13 '18 at 21:46

gdb cracking && cryptanalysis CTF

1 Answers1