Link Search Menu Expand Document

Spica (Launched 1977)

  • Password: alanguage
  • (20 points)
Table of contents
  1. Starter files
  2. Your task
  3. Debugging
  4. Deliverables
The logs inside the Remus satellite contain a cryptic reference to a highly intelligent
bot. Of course, you had heard of the urban legend of EvanBot, the top-secret
genius AI that single-handedly developed Caltopian space travel technology, but
the message in Remus suggests that it may be more than a legend.
You decide to investigate further and follow the hint to Spica. Spica is an old Gobian
Union geolocation satellite with a utility for viewing telemetry log files. Exploit
this utility and hack into Spica to see what secrets it holds about the mysterious
EvanBot.

Starter files

Log into the spica account on the VM using the password you learned in the previous question. ls to see the starter files.

telemetry is the vulnerable C program in this question. It takes a file and prints out its contents, but it expects the file to be specially formatted: the first byte of the file specifies its length, followed by the actual file.

The starter files contain a small helper script generate-file-contents. This script takes arbitrary input and outputs the first 127 bytes in the format that telemetry expects:

# Example invocation:
$ ./generate-file-contents < \exampleinput.txt

This helper script always generates safe files to be used with the telemetry program, but nothing prevents you from instead feeding telemetry an arbitrary file of your choice.


Your task

exploit takes the output of your egg script, saves it in a file, and then uses that file as input to telemetry. In other words, when telemetry calls fread, it reads from the output of your egg script.


Debugging

No input and output redirection needed for this question. debug-exploit automatically feeds the output of your egg script into the C program. You can start running the program in gdb with just run or r.


Deliverables

A script egg and a writeup. Make sure the script works by running ./exploit and checking that you are able to run cat README and see the next password.