# Cache Me Outside

### Part 1 - The intials

We start by looking at the things we can see easily. 

![image.png](attachment:8f3e1d5b-969c-4804-9dc4-b19fa2018ac0.png)

Alright so allegedly we are allowed to edit one byte in the program, and we can pass it an address and value. So this is where we are at

> #### What we know
> * can provide at least 2 inputs to the program
    * one is allegedly an address
    * one is allegedly a value that gets placed at that address?
>
> #### What we mostly dont know
> * what is being done with the 2 inputs
    * assuming the inputs correspond to an address and value, how are they being translated/used 
    

Lets also look at the Makefile
```markdown
all:
	gcc -Xlinker -rpath=./ -Wall -m64 -pedantic -no-pie --std=gnu99 -o heapedit heapedit.c

clean:
	rm heapedit
```
soo not a lot going on here, but lets break down some of the flags that are used here

* -Xlinker -rpath=./ -- from reading https://flameeyes.blog/2010/06/20/the-why-and-how-of-rpath/ quickly and knowing the files that were provided for this challenge, it looks like this flag was introduced to allow symbols to be resolved to `libc.so.6`. 
* [-m64][1] -- 64 bit environment
* [-no-pie][2] -- Don't produce a dynamically linked position independent executable
    
[1]: https://linux.die.net/man/1/gcc
[2]: https://man7.org/linux/man-pages/man1/gcc.1.html


So update our list
> #### What we know
> * can provide at least 2 inputs to the program
>    * one is allegedly an address
>    * one is allegedly a value that gets placed at that address?
> * running on 64 bit system (probably)
> * because PIE is a precondition for ASLR, we know that the addresses should stay the same throughout executions of the program. this also makes sense within what is reasonable for this challenge 
> 
> #### What we mostly dont know
> * what is being done with the 2 inputs
>    * assuming the inputs correspond to an address and value, how are they being translated/used 


At this point, we have a few options that we can go with
1) try and throw random junk at the program. we know that we may be able to edit a byte, so eventually we might get back something
2) start looking into the `heapedit` or `libc.so.6` binaries that we were given

We are going to start off by looking at `heapedit` because it is the program that is running, and presumably `libc.so.6` contains the implementation for some function that `heapedit` is using. So we are going to look first at the main function in ghidra 


```c
undefined8 main(void)

{
  long in_FS_OFFSET;
  undefined local_a9;
  int local_a8;
  int local_a4;
  undefined8 *local_a0;
  undefined8 *local_98;
  FILE *local_90;
  undefined8 *local_88;
  void *local_80;
  undefined8 local_78;
  undefined8 local_70;
  undefined8 local_68;
  undefined local_60;
  char local_58 [72];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  setbuf(stdout,(char *)0x0);
  local_90 = fopen("flag.txt","r");
  fgets(local_58,0x40,local_90);
  local_78 = 0x2073692073696874;
  local_70 = 0x6d6f646e61722061;
  local_68 = 0x2e676e6972747320;
  local_60 = 0;
  local_a0 = (undefined8 *)0x0;
  local_a4 = 0;
  while (local_a4 < 7) {
    local_98 = (undefined8 *)malloc(0x80);
    if (local_a0 == (undefined8 *)0x0) {
      local_a0 = local_98;
    }
    *local_98 = 0x73746172676e6f43;
    local_98[1] = 0x662072756f592021;
    local_98[2] = 0x203a73692067616c;
    *(undefined *)(local_98 + 3) = 0;
    strcat((char *)local_98,local_58);
    local_a4 = local_a4 + 1;
  }
  local_88 = (undefined8 *)malloc(0x80);
  *local_88 = 0x5420217972726f53;
  local_88[1] = 0x276e6f7720736968;
  local_88[2] = 0x7920706c65682074;
  *(undefined4 *)(local_88 + 3) = 0x203a756f;
  *(undefined *)((long)local_88 + 0x1c) = 0;
  strcat((char *)local_88,(char *)&local_78);
  free(local_98);
  free(local_88);
  local_a8 = 0;
  local_a9 = 0;
  puts("You may edit one byte in the program.");
  printf("Address: ");
  __isoc99_scanf(&DAT_00400b48,&local_a8);
  printf("Value: ");
  __isoc99_scanf(&DAT_00400b53,&local_a9);
  *(undefined *)((long)local_a8 + (long)local_a0) = local_a9;
  local_80 = malloc(0x80);
  puts((char *)((long)local_80 + 0x10));
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}
```

So we see that the first `scanf`'s format type is a `%d`, and the second's is a `%c`. So the first thing we pass to the program will be interpreted as a signed int, and the second as a character. then in `*(undefined *)((long)local_a8 + (long)local_a0) = local_a9;` the argument passed to the `%d` input will occupy `local_a8`, and the combination of that integer and some `local_a0` will be interpreted as a memory address and dereferenced, and the character we passed in the second input will be placed in that dereferenced location. 

We also see that the flag is being brought in and stored in a local variable `local_58` via `fgets(local_58,0x40,local_90);`.

Knowing that we can change one byte, it would be nice if we could change a bit for something that wants to print a character. Luckily we have `puts((char *)((long)local_80 + 0x10));`, so potentially we could use that. 

Initially, lets look at targeting `local_80`. 

What we want is `puts((char *)((long)local_80 + 0x10))` to actually read `puts((char *)local_58)`, and to make this happen we need `(long)local_58 == (long)local_80 + 0x10`. 

lets start with figuring out some things about `local_58`, and then work our way back to figure out what is `local_80`

### `local_58`

From ghidra, we know that  we know  
![image.png](attachment:318a6e7c-0462-4864-bbff-b5fa659c2bbb.png)
So we can see that `local_58` is going to be accessed at `EBP - 0x58`, given whatever frame we are in during the function invocation. If we wanted to know what that address is going to be, we would have to be able to predict the location of the stack pre-execution

In [2]:
from pwn import *

In [3]:
e = ELF('heapedit')

[*] '/home/bork/dev/ctf-projects/picoctf/cache_me_outside/heapedit'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./'


In [2]:
io = remote("mercury.picoctf.net", 10097)

[x] Opening connection to mercury.picoctf.net on port 10097
[x] Opening connection to mercury.picoctf.net on port 10097: Trying 18.189.209.142
[+] Opening connection to mercury.picoctf.net on port 10097: Done


## getting heapedit to run locally
By default, trying to run the heapedit binary causes a segfault

![image.png](attachment:d8160377-6007-4aeb-9474-755a2eff80bf.png)

Looking into the strace, we can see some errors with invoking the dynamic loader

![image.png](attachment:74c7b370-e351-4114-a111-2d17166dafe0.png)

Luckily, we can just use pwninit to magically solve this issue for us

![image.png](attachment:56d286fb-e0ab-4883-8f0d-c49d1442220b.png)

