Admin UI 3 | Google CTF 2018

Google CTF 2018

Admin UI 3

The code quality here is terrible. Even the temperature scale is measured in “Kevins”. Just bad Q/A all around here. If they choose to measure in Kevins rather than Kelvins, then it’s a sure bet that they can’t handle their memory properly. It looks like this also controls the SmartFridge2000 internal temperature for that whole home “just-works” experience.

You can find my all CTF solution in here

Question gives clue about memory vulnaribities.

When I look command_line function in IDA I saw the shell input.

When I look at the shell funciton I figure out the _ZL13shell_enabled flag. If this flag xor 1 is true. debug_shell() can be called. Otherwise shell can’t open.

If we change _ZL13shell_enabled value from memory we can open the shell.

 

They use the gets() function rather than fgets() so that we can use the Bufffer Overflow.

Also in the “echo” side program have format strings vulnerability.

 

When I test format strings vulnerability;

 

First I want to try to overflow buffer.

I want to jump this bellow adress so that I write script for that,

.text:0000000041414227 _Z11debug_shellv proc near

Output:

CTF{c0d3ExEc?W411_pL4y3d}

I found the flag but we can also use the format string using echo

I also write script for that

 

Leave a Reply

Your email address will not be published. Required fields are marked *