Tags: assembler misc miscellaneous asm
Rating:
# Write up for ReturnMeFast
First thing we see connecting with **nc returnmefast.chal.intentsummit.org 9999** and sending any message:
```
INPUT> .
NotTheJsonIWasLookingFor
```
So we see it needs some *JSON* object, so we just test it and get needed attributes one by one like listed below.
```
INPUT> {}
NoCommand No field command in data.
INPUT> {"command": "test"}
BadCommand Bad command type
INPUT> {"command": 1}
BadUserName No username field.
INPUT> {"command": 1, "username": 3}
BadUserType Bad username type.
INPUT> {"command": 1, "username": "user"}
BadUserName Bad username user, try another one.
INPUT>
```
We can see an error **BadUserName**. After some bruteforcing etc. I decided to create a **python** script loading firstly top 17 usernames and then some wordlist wiith common usernames.
```python3
from pwn import *
from pwnlib.asm import asm, context
import json
def stringify(jss):
return json.dumps(jss)
def parse(jss):
return json.loads(jss)
def testName(r, name):
r.sendline(name)
ez = r.recv()
if not b'BadUserName Bad username ' in ez:
return [True, ez, name]
else:
return [False]
l = ["root","admin","test","guest","info","adm","mysql","user","administrator","oracle","ftp","pi","puppet","ansible","ec2-user","vagrant","azureuser"]
for i in l:
js = {"command": 1, "username": i}
tr = testName(r, stringify(js))
if tr[0]:
print(i)
print('Found something:', tr)
break
r.interactive()
```
After that I found out I don't need to load any longer wordlist because username **oracle** worked and we can see a following output:
```
INPUT> {"command": 1, "username": "oracle"}
Unicorn me asap. Starting the game: oracle -> [(10, 15), (5, 9), (5, 1), (4, 9), (6, 7), (13, 15)].
INPUT>
```
After entering other command numbers I found out that command no. **2** gives some more information:
```
INPUT> {"command": 2, "username": "oracle"}
MissingX86Unicorn Missing asm field.
```
So now we need an *asm* field. We can assume it wants some assembler code in *hex* after some looking around.
```
INPUT> {"command": 1, "username": "oracle"}
Unicorn me asap. Starting the game: oracle -> [(10, 14), (7, 10), (1, 5), (5, 1), (3, 5), (8, 13)].
INPUT> {"command": 2, "username": "oracle", "asm": "e"}
BadX86AsmHex The format of your asm code was not right. Look at unicorns for examples.
INPUT> {"command": 2, "username": "oracle", "asm": "aa"}
BadUnicornLength 1
INPUT>
```
After bruteforcing hex values we can see that only one that does not give an error is *b800000000*.
### Script to parse the list with tuples and sending asm length of second from the tuple, and value as the first one to eax.
#### Gives a flag :- output below
```python3
from pwn import *
from pwnlib.asm import asm, context
import json
def stringify(jss):
return json.dumps(jss)
def parse(jss):
return json.loads(jss)
def getCode(r):
a = stringify({"command": 1, "username": "oracle"})
r.sendline(a)
jd = r.recv().decode('utf-8').split("-> ")
ez = jd[1][:-9]
return eval(ez)
def sendCode(r, code):
a = stringify({"command": 2, "username": "oracle", "asm": code})
r.sendline(a)
resp = r.recv()
print(resp.decode('utf-8'))
r = remote("returnmefast.chal.intentsummit.org", 9999)
lista = getCode(r)
print('I parsed code:', lista)
xd = ""
for i in lista:
xd = f"b8{'{:02x}'.format(i[0])}000000"
xd += "90"*(i[1]-5)
print("Sending: ", xd)
sendCode(r, xd)
sleep(1)
r.interactive()
```
```
I parsed code: [(11, 12), (4, 8), (7, 8), (3, 7), (6, 11), (8, 9)]
Sending: b80b00000090909090909090
Good!. Go to the next step.
INPUT>
Sending: b804000000909090
Good!. Go to the next step.
INPUT>
Sending: b807000000909090
Good!. Go to the next step.
INPUT>
Sending: b8030000009090
Good!. Go to the next step.
INPUT>
Sending: b806000000909090909090
Good!. Go to the next step.
INPUT>
Sending: b80800000090909090
INTENT{we1Rd_unkn0wn_m4Chin3S_ar3_mY_J4m}
INPUT>
```
