Skip to main content

belgian-hackerolympiad-2017 exploitation write up \ (•◡•) / (day 72)


Welcome back to another PWN CTF, this time we will be looking on how to solve the exploitation challenge from the Hackerolympiad Thomas More & NVISO.

link to the binary: https://github.com/ctfs/write-ups-2017/tree/master/belgian-hackerolympiad-2017/exploitation/luigi

First, let's try to execute it in order to get the big picture of the program workflow

before executing the program, we need the binary to be executable by using chmod utility

~# chmod +x challenge



uh-oh! it seems we missing something that leads to a segmentation fault, we need to gain more understand to find out what we need to supply along the binary so it won't crash at the next execution. We can use Ghidra to help us with this task. It helps us to analyze the binary in detail manner by providing the pseudocode of the program




After ghidra finish load the binary, go to the main function and take a look at the disassembler window that contains the main function source code. One of the functions that catch my eyes is the read_flag function and when we try to go to the function we can see it needs to load flag.txt file



from this simple check, we can conclude that we need to create a fake flag.txt in our directory so the program will run as the way it supposed to be.





Once the fake flag.txt is created. Try to execute it again and as you can see it's not crash

next, we need to fuzz the program to trigger a buffer overflow, we can do this supplying a really long string of pattern.



But after a couple of trial and error by supplying a longer string in every iteration it seems the result is not what we expected. Let's go back again to ghidra to study the main function one more time.



The first section of the code is responsible to take the input from the user and each one of our input will be passed to read_string() function. The function itself requires two parameters first is the local variable that will hold our input and the second will be the limit on how long the string will be stored into the stack.

the second section of the code is responsible to get the flag.txt content and stored into the local variable.

the third section is responsible to compare the input for username if its match with string admin and input for the password is matched with string get from the "flag.txt"

In terms of memory management the program doing all of it correctly so that's why we don't get buffer overflow vulnerability.

after a couple of minutes of debugging the binary and examine the stack in every function call I found out that we were looking at the wrong place, it turns out we can get the content of the flag by exploiting the printf that located at the end of the main function.

Let me explain why









we will put three breakpoints into this address, each of the addresses is responsible to call read_string and read_flag that will process our input respectively.

by putting a breakpoint into there address we can examine how the program stores our input and processed it in real-time.



The first input we supply for the username is just "AAAA", we hit the breakpoint and when we examine the stack we can see that our input is stored at 0x7fffffffd950



The second input we supply for the password is just "BBBBBBB", we hit the breakpoint again and as you can see it start storing the string at 0x7fffffffd910

and at the last breakpoint, the flag is stored at address 0x7fffffffd990 so it is adjacent to the first input.



as you remember from our last analysis from the source code if the username is not matched with the string admin it will notify that the string we just input is wrong.



The program will take the value stored in 0x7fffffffd950 (which contains contain the username input) and output the content through print function.

So what is the problem here?

as you know printf will stop printing the value if its hit "\x00" at the memory and since the username input and the flag location is adjacent all we need to do is to fill enough memory (which is 0x40) until it reaches 0x7fffffffd950, like this

 

since we provide the wrong value to the program, the printf function will just spit out everything from 0x7fffffffd950 until it's found "\x00" and because the "\x00" is not available before the flag, this will eventually continue to dump the value of the flag






That's all folks, hope you enjoy it :)


Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »