Exploit Exercises - Protostar Net 0

I recently started looking at the “Net” problems in Protostar, and found them to be quite a fun change in pace.

Starting with Net 0, we are given the following code:

#include "../common/common.c"

#define NAME "net0"
#define UID 999
#define GID 999
#define PORT 2999

void run()
 unsigned int i;
 unsigned int wanted;

 wanted = random();

 printf("Please send '%d' as a little endian 32bit int\n", wanted);

 if(fread(&i, sizeof(i), 1, stdin) == NULL) {
  errx(1, ":(\n");

 if(i == wanted) {
  printf("Thank you sir/madam\n");
 } else {
  printf("I'm sorry, you sent %d instead\n", i);

int main(int argc, char **argv, char **envp)
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 

 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */

 /* Don't do this :> */


I started to analyze this program, to figure out what I was even supposed to do. It looks like it’s a daemon that runs on port 2999. When a connection is established, it will send a number, asking for it to be returned in little endian format. It will either then display “Thank you sir/madam” or “I’m sorry, you send X instead”. My goal was the prior.

I ended up creating the following code to convert the number to little endian and send it back:

#!/usr/bin/env python

# Protostar Net 0
# http://exploit-exercises.com/protostar/net0
# Matt Andreko
# twitter: @mandreko
# contact: matt [at] mattandreko.com

from socket import *
from struct import *
from optparse import OptionParser

def main(host, port):

 # Open a connection and read
 s = socket(AF_INET, SOCK_STREAM)
 s.connect((host, port))

 data = s.recv(1024)
 print "[*] Data: " + data

 # Find the numeric string.
 # Note it can be variable length, so search between quotes
 start = data.find("'") + 1
 end = data.find("'", start)

 num = int(data[start:end])
 print "[*] Num: " + str(num)

 # Convert the number to little endian format and send it back
 little = pack("<I", num)

 # Read response from server
 print s.recv(1024)

if __name__ == "__main__":
    parser = OptionParser("usage: %prog [options]")
    parser.add_option("-H", "--host", dest="hostname", default="", 
     type="string", help="Target to run against")
    parser.add_option("-p", "--port", dest="portnum", default=2999, 
     type="int", help="Target port")

    (options, args) = parser.parse_args()
    main(options.hostname, options.portnum)

When ran, that program produced the following output:

C:\Protostar>net0.py -H
[*] Data: Please send '634513062' as a little endian 32bit int

[*] Num: 634513062
Thank you sir/madam
comments powered by Disqus