Spica (Launched 1977)
- Password: alanguage
- (20 points)
Table of contents
The logs inside the Remus satellite contain a cryptic reference to a highly intelligent
bot. Of course, you had heard of the urban legend of EvanBot, the top-secret
genius AI that single-handedly developed Caltopian space travel technology, but
the message in Remus suggests that it may be more than a legend.
You decide to investigate further and follow the hint to Spica. Spica is an old Gobian
Union geolocation satellite with a utility for viewing telemetry log files. Exploit
this utility and hack into Spica to see what secrets it holds about the mysterious
EvanBot.
Starter files
Log into the spica
account on the VM using the password you learned in the previous question. ls
to see the starter files.
telemetry
is the vulnerable C program in this question. It takes a file and prints out its contents, but it expects the file to be specially formatted: the first byte of the file specifies its length, followed by the actual file.
The starter files contain a small helper script generate-file-contents
. This script takes arbitrary input and outputs the first 127 bytes in the format that telemetry
expects:
# Example invocation:
$ ./generate-file-contents < \exampleinput.txt
This helper script always generates safe files to be used with the telemetry
program, but nothing prevents you from instead feeding telemetry
an arbitrary file of your choice.
Your task
exploit
takes the output of your egg
script, saves it in a file, and then uses that file as input to telemetry
. In other words, when telemetry
calls fread
, it reads from the output of your egg
script.
Debugging
No input and output redirection needed for this question. debug-exploit
automatically feeds the output of your egg
script into the C program. You can start running the program in gdb with just run
or r
.
Deliverables
A script egg
and a writeup. Make sure the script works by running ./exploit
and checking that you are able to run cat README
and see the next password.