Category: PWN Points: 244 Solves: 107
Challenge Description: As promised a pwn challenge...
Artifact Files:
The challenge gives us direct access to the source code of the program, so let's take a look at it !
We see that a print_flag() function is defined in the program but never used which is pretty peculliar let's say...
Looking at main() we can see that a char[16] buffer is created on the stack before the program prints What is your favorite food? to the user. It then takes input using scanf("%s", buffer); to load user input into our buffer.
The important thing to notice here is that there is absolutely no size check for the user input, while our buffer is limited to 16 chars of length.
This program is an ELF x64 bits and does not seem to have a lot of securities activated as shown here:
So our hypothesis is that any input longer than 16 of length might cause a Stack Buffer Overflow and lead to potential manipulation of RIP (instruction pointer).
We can test that out by inputing a bunch of As into our program and see if we get a SEGFAULT
And we do ! Let's check in gdb if we can overwrite RIP and control the program's execution flow.
Perfect ! Now we just have to manipulate rip to return to that print_flag() function which should print us the flag when executed on the remote.
1. Command line
So first of all in order to return to print_flag() we need to know it's address. For that we can use objdump -t ./ret0 | grep print_flag
So we know the address of print_flag is 0x00000000004011b3 !
Now we need to find the correct offset to overwrite RIP, we can do this just by playing around with the payload length or by using a unique pattern so that we can find the exact offset by calculation. gdb-peda has an inbuilt pattern utility tool to help us do such a thing.
We can use the pattern create 40 command to create a pattern of length 40 which should be enough to overflow our memory in this case.
Pattern : AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAa
Let's input it in the program and use pattern search to get the correct offset
We can see that we have a 24 offset until we reach the desired memory location we want to write to.
So we can build a payload with python as such :
python2 -c 'print "A"*24 + "\xb3\x11\x40\x00\x00\x00\x00\x00"' | ./ret0
Let's try it out and see if we get to call the print_flag() function !
And it works ! Now we just need to pipe it into the remote host to get the actual flag of the challenge.
And we got our flag : wsc{Th0s3_p3sky_STACKS!!!}
2. Python Script
Just for good practice I wanted to include a python script to solve this challenge. The method is still the exact same, I just use the pwn.ELF() class from pwntools to load elf symbols and addresses from the binary and build the same payload :)
The exploit.py script :
And we get the same result just with a script and with a much cooler display :O
This is a beginner buffer overflow exploit challenge that's always nice and chill to solve when they're in the competition and teaches a lot to the new comers to the CTF scene, really lovely as usual !
That's it for this WriteUp of babyRet from WolvSec 2022CTF, I really hoped you enjoyed it since this is my first writeup ever so yeaaaah ! I'll probably try to do the other pwn challenges since I managed to pwn all of them so see ya in the next challenges I suppose :D