jigsaw@jigsaw
  • About Me
  • 👾Forensics CTF Methodology
    • Hard Disk Analysis Methodology
  • 📝ICTF 2024 Writeups
    • REDACTED
    • UnDelete
    • UnRename
  • 📝OSCTF 2024 Writeups
    • Leaky Pipes [Pwn]
    • Buffer Buffet [Pwn]
    • Another Python Game [Rev]
    • Phantom Script Intrusion [Forensics]
    • FOR101 [Forensics]
  • 📝UTAR Amazing Cyber Hunt CTF Writeups
    • OLE - Dirty Laundry [Forensics]
  • 📝PWC Hackaday CTF 2024
    • Taking On PWC's Active Directory Challenges Again
  • 📝SherpaCTF 2024 Writeups
    • Oren [Boot2Root]
Powered by GitBook
On this page
  1. OSCTF 2024 Writeups

Leaky Pipes [Pwn]

PreviousUnRenameNextBuffer Buffet [Pwn]

Last updated 7 months ago

The challenge provided us with a nc connection to the server hosting the binary and the binary itself. So, without launching Ghidra or IDA, we can use the following tool to disassemble the binary.

The disassembled file is as follows:

int __cdecl readflag(char *s, int n)
{
  FILE *stream; // [esp+Ch] [ebp-Ch]

  stream = fopen("./flag.txt", "r");
  if ( !stream )
  {
    printf("%s %s\n", "Please create 'flag.txt' in this directory with your", "own debugging flag.");
    exit(0);
  }
  fgets(s, n, stream);
  return fclose(stream);
}

//----- (08049361) --------------------------------------------------------
int vuln()
{
  char format[128]; // [esp+0h] [ebp-C8h] BYREF
  char s[68]; // [esp+80h] [ebp-48h] BYREF

  readflag(s, 64);
  printf("Tell me your secret so I can reveal mine ;) >> ");
  __isoc99_scanf("%127s", format);
  puts("Here's your secret.. I ain't telling mine :p");
  printf(format);
  return putchar(10);
}
// 80491A0: using guessed type int __cdecl __isoc99_scanf(_DWORD, _DWORD);
// 8049361: using guessed type char s[68];

//----- (080493ED) --------------------------------------------------------
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __gid_t v4; // [esp+0h] [ebp-Ch]

  setvbuf(stdout, 0, 2, 0);
  v4 = getegid();
  setresgid(v4, v4, v4);
  vuln();
  return 0;
}

The vulnerability present in the binary is within the printf function, the complete detail on this vulnerability can be found on my old blog here:

With that explanation, no script is needed here. By connecting to the instance given to us, we can just insert a 100 %x's and expect the binary to leak out information from the stack.

Now, all we need to do is to swap the endianness of the output and convert the output from hex. However, no flag appeared. So, referring to my old blog post, there may be some "bad bytes".

By removing some of the characters from the start of the hex output, we finally got the flag!

flag: OSCTF{F0rm4t_5tr1ngs_l3ak4g3_l0l}
📝
LogoDecompiler ExplorerDecompiler Explorer
Logo[picoCTF 2021] StonksMedium