Welcome to pwnyOS!! pwnyOS is a custom x86 operating system that supports link-time kASLR, multitasking and kernel threads, execution of genuine ELF files, a realtime high resolution graphics engine, and a custom hierarchical file system. This OS was written from the ground up with its use as a challenge for UIUCTF 2020 in mind. All source code in the OS is 100% custom handwritten C and assembly- there are no libraries used, and none of its code can be found anywhere online. This competition simulates an unprivileged user with physical access to a keyboard and terminal attempting to gain local privilege escalation on an unfamiliar system. Documentation: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Getting_Started.pdf System Calls: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf For your first challenge: Login to the OS with username sandb0x Password is 4 characters, all lowercase letters. First character is 'p'. I wonder if there's a way to leak the next char, knowing that the first part of the password is right...? Author: ravi
We connect to our VM and are created by an excellent login page.
We have a username
sandb0x but only the first character for the password so we need to find a way to get the rest of it.
We know the first character will be the letter
p Since we know the first character we start playing around with some characters that we know are incorrect. We notice that any other character quickly returns
incorrect while for
p the response takes a bit longer. Based off this and the reference to time in the challenge name we can guess this is some kind of timing attack.
The basic idea is that there will be a discrepancy in the time that it takes to complete certain actions. That serves to leak information about checked values.
We start trying different characters and tracking how long it takes pwnyOS to respond. We notice that the responses are fairly close to each other. However, as we continue we notice a single character,
w, takes longer to respond than the others. Perhaps, this is the second character of the password.
pa 1.49 sec pb 1.49 sec pc 1.19 sec pd 1.43 sec pe 1.23 sec ... pw 2.09 sec px 1.47 sec py 1.22 sec pz 1.42 sec
We then start search for the third character and once again notice another character that takes longer than all the others. Seems we are on the right track. We know have three characters.
pwa 2.10 sec pwb 2.08 sec pwc 2.20 sec pwd 2.58 sec pwe 2.47 sec ... pwn 3.31 sec pwo 2.40 sec pwp 2.30 sec pwq 2.17 sec
We know the password is four characters long so we are nearly there. For kicks we do the same timing and notice that this time there is a character that leads to a much faster response.
pwna 3.04 sec pwnb 3.29 sec pwnc 3.11 sec pwnd 2.95 sec pwne 3.44 sec ... pwny 0.85 sec pwnx 3.31 sec pwnz 3.38 sec
We can also assume this is the correct password as we are created by a welcome screen. :-)