UIUCTF Time_To_Start

2020-07-20

Time_To_Start

Challenge Description

Welcome to pwnyOS!!

pwnyOS is a custom x86 operating system that supports link-time kASLR, multitasking and kernel threads, execution of genuine ELF files, a realtime high resolution graphics engine, and a custom hierarchical file system. This OS was written from the ground up with its use as a challenge for UIUCTF 2020 in mind. All source code in the OS is 100% custom handwritten C and assembly- there are no libraries used, and none of its code can be found anywhere online. This competition simulates an unprivileged user with physical access to a keyboard and terminal attempting to gain local privilege escalation on an unfamiliar system.

Documentation: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Getting_Started.pdf

System Calls: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf

For your first challenge: Login to the OS with username sandb0x

Password is 4 characters, all lowercase letters. First character is 'p'. I wonder if there's a way to leak the next char, knowing that the first part of the password is right...?

Author: ravi

Login

We connect to our VM and are created by an excellent login page. We have a username sandb0x but only the first character for the password so we need to find a way to get the rest of it.

Solution

We know the first character will be the letter p Since we know the first character we start playing around with some characters that we know are incorrect. We notice that any other character quickly returns incorrect while for p the response takes a bit longer. Based off this and the reference to time in the challenge name we can guess this is some kind of timing attack.

The basic idea is that there will be a discrepancy in the time that it takes to complete certain actions. That serves to leak information about checked values.

We start trying different characters and tracking how long it takes pwnyOS to respond. We notice that the responses are fairly close to each other. However, as we continue we notice a single character, w, takes longer to respond than the others. Perhaps, this is the second character of the password.

 pa 1.49 sec
 pb 1.49 sec
 pc 1.19 sec
 pd 1.43 sec
 pe 1.23 sec
 ...
 pw 2.09 sec
 px 1.47 sec
 py 1.22 sec
 pz 1.42 sec

We then start search for the third character and once again notice another character that takes longer than all the others. Seems we are on the right track. We know have three characters. pwn

pwa 2.10 sec
pwb 2.08 sec
pwc 2.20 sec
pwd 2.58 sec
pwe 2.47 sec
...
pwn 3.31 sec
pwo 2.40 sec
pwp 2.30 sec
pwq 2.17 sec

We know the password is four characters long so we are nearly there. For kicks we do the same timing and notice that this time there is a character that leads to a much faster response.

pwna 3.04 sec
pwnb 3.29 sec
pwnc 3.11 sec
pwnd 2.95 sec
pwne 3.44 sec
...
pwny 0.85 sec
pwnx 3.31 sec
pwnz 3.38 sec

We can also assume this is the correct password as we are created by a welcome screen. :-)

UIUCTF Whats_A_Syscall