Contents

An Introduction to PWN Challenges


An Introduction to PWN Challenges

PWN challenges are a type of CTF challenge that require you to exploit a binary typically running on a remote server. This can be done by exploiting a vulnerability in the binary, or by using a vulnerability in the binary to gain access to the system.

Often, PWN challenges will require you to gain access to a remote server, and then exploit the binary on that server. This is done by connecting to the server using a tool such as netcat, and then sending commands to the server.

Typically, you will be given an IP address and a port number to connect to. An example of a challenge prompt for a PWN challenge might look like is:

nc 138.68.136.255 6002

Where nc is the command to connect to a server using Netcat, and 138.68.136.255 is the IP address of the server, and 6002 is the port number.

Note: If using windows you can use ncat instead of nc. You must first Install Netcat for Windows or Linux. (Some linux distributions may already have netcat installed).

Useful tools for solving PWN challenges

There are a number of tools that can be used to solve PWN challenges. These include:

  • Python - A programming language that can be used to automate tasks, and interact with the server.
  • pwntools - A python library for rapid exploit development.
  • GDB - A debugger for binaries.
  • Ghidra - A reverse engineering tool for binaries.

pwntools is my personal favourite tool for solving PWN challenges. It is a python library that can be used to automate tasks, and interact with the server. It also has a number of useful functions for interacting with the server, such as p.recv() and p.sendline(). These functions can be used to receive and send data to the server.

Steps for solving a typical PWN challenge

  1. Connect to the server using netcat.
  2. Work out what the binary does.
  3. Find a vulnerability in the binary.
  4. Script a solution to the challenge using Python and pwntools.
  5. Obtain the flag.

Example PWN challenge

A challenge I created for ENUSEC’s “Le Tour Du Hack 2022” Conference was a PWN challenge called “Powers of Automation 2.0” (POA2). The challenge prompt was:

nc {ip} {port}

The binary was running a script that asked the user to guess a randomly generated number between 0 and 1,000,000,000 in less than 30 seconds. If the user guessed the number correctly, they would be given the flag.

Obviously, this could not be solved by a human, so players had to write a script to solve the challenge. The script could have been written in Python and used pwntools, to connect to the server, and guess the number by implementing a binary search algorithm.

What is a binary search algorithm?

A binary search algorithm is an algorithm that searches for an item in a sorted list by repeatedly dividing the search interval in half. The algorithm begins by creating an interval with the lowest and highest possible values. It then checks the middle value of the interval, and if the value is higher than the target value, it sets the highest value to the middle value. If the value is lower than the target value, it sets the lowest value to the middle value. It then repeats this process until the target value is found.

The binary search algorithm is a very efficient way of searching for a value in a sorted list, as it only requires a maximum (worst case scenario, time complexity: logN) of 9 guesses to find the target value in a list of 1,000,000,000 items.

Visual representation of a binary search algorithm

Target number: 7

/images/posts/binarysearch/step1.jpg

Starting with a list of 1 to 10 numbers, the binary search algorithm begins by creating an interval with the lowest and highest possible values. In this case, the lowest value is 1, and the highest value is 10. It then checks the middle value of the interval, which is 5.5. As 5.5 is not a whole number, it rounds it down to 5. This means that the middle value is 5. As 5 is not the target value, it then checks if the middle value is higher or lower than the target value. In this case, 5 is lower than 7, so it sets the lowest value to 5. It then repeats this process until the target value is found.

/images/posts/binarysearch/step2.jpg

In this case, the middle value is 7.5, which is rounded down to 7. As 7 is the target value, the algorithm has found the target value.

PWNTOOLS script for solving POA2

    # Powers of Automation 2.0 - SOLUTION EXAMPLE
    # Created by Watson (@LewisNWatson)
    
    from pwn import *
    
    context.update(arch='i386', os='linux')
    
    conn = remote('127.0.0.1', 6000)  # Connects to localhost (change 127... to correct IP)
    
    rangeMax = 1000000001
    rangeMin = 0
    
    
    while True:
    
        guess = (rangeMax-rangeMin)//2 + rangeMin
        conn.sendline(str(guess))
        conn.recvline()
        result = conn.recvline()
    
        if result == b'Too low!\r\n':
            rangeMin = guess
        elif result == b'Too high!\r\n':
            rangeMax = guess
        else:
            if result == b'Guess a number between 1 and 1,000,000,000: Too low!\r\n' or result == b'Guess a number between 1 and 1,000,000,000: Too high!\r\n':
                print(result)
                continue
            else:
                print(result)
                conn.close()
                exit()
    
        print("guess: " + str(guess) + " range: " + str(rangeMin) + "-" + str(rangeMax) + " result: " + str(result))
    
    
    

If I were to explain this script line by line the blog post would be too long, however if you would like to download the script and run it yourself, you can do so here. If you are interested in seeing more PWN challenge examples, check out the PWN challenge write ups from LTDH24

Note: The server we used for the challenge is no longer running, so you will need to run the POA2_Challenge.py script and open a socat listener on port 6000 to test the script. On linux this can be done by running the following command:

socat TCP-LISTEN:6000,fork,reuseaddr EXEC:"python3 POA2_Challenge.py",pty,stderr

Conclusion

I hope this blog post has helped you understand what PWN challenges are, and how to solve them. If you have any questions, or would like to discuss anything, please feel free to contact me on Twitter or LinkedIn.