Tags: ghidra python pwn 

Rating:

# Write-up: COVID tracker tracker tracker
![badge](https://img.shields.io/badge/CTF%20Writeup-unsolved-red)

## Description

### My Story
I was working on it for one day (even after CTF finished) and I learned a lot.

I executed the program this way in the directory I downloaded the three files of challenge:
```
$ ./ld-linux-x86-64.so.2 --library-path . ./cttt

COVID tracker tracker tracker
=============================
1) Add tracker
2) Edit tracker
3) Remove tracker
4) List trackers
5) Exit
>
```

At the first look I guessed it should be a heap challenge; and it is.

#### Static Analysis

I decompiled `cttt` using Ghidra and found these interesting functions:
* add
* edit
* delete
* list

and these global variables:
* urls
* is_deleted

Functions functionality is obvious. Each is responsible for one of the menu items. But I analyzed those function statically to find out `urls` and `is_deleted` use cases. It got cleared:

```
char *urls[16];
char is_deleted[16];
```

And now functions are more clear:
* add => `urls[index] = malloc(sizeof(char) * 0x40)`
* edit => `*urls[index] = some_input`
* delete => `free(urls[index]); is_deleted[index] = 1`
* list => print every url allocated `char*` if isn't deleted.

The vulnerability is that `delete` doesn't reset the `urls[index]` value to zero! So it is a use-after-free.

#### Challenging
I'm not so experienced in heap exploitation. so I started searching about heap structure and I learned some stuffs. But heap is more complicated to be understood in one day or two!

I found this amazing resource for learning about heap: [https://heap-exploitation.dhavalkapil.com/](https://heap-exploitation.dhavalkapil.com/)

It's awesome! But I wanted to solve the challenge quickly. So I skipped a lot... I just started trial and error!

#### Trial & Error
I used `add` four times. and used `edit` for each added URL. first one, `AAAAAAAA`; second one `BBBBBBBB` and ... this is the heap after that:
```
-----------------------first-------------------------
0x4056a0: 0x0000000000000000 0x0000000000000051
0x4056b0: 0x4141414141414141 0x000000000000000a
0x4056c0: 0x0000000000000000 0x0000000000000000
0x4056d0: 0x0000000000000000 0x0000000000000000
0x4056e0: 0x0000000000000000 0x0000000000000000
----------------------second-------------------------
0x4056f0: 0x0000000000000000 0x0000000000000051
0x405700: 0x4242424242424242 0x000000000000000a
0x405710: 0x0000000000000000 0x0000000000000000
0x405720: 0x0000000000000000 0x0000000000000000
0x405730: 0x0000000000000000 0x0000000000000000
-----------------------third-------------------------
0x405740: 0x0000000000000000 0x0000000000000051
0x405750: 0x4343434343434343 0x000000000000000a
0x405760: 0x0000000000000000 0x0000000000000000
0x405770: 0x0000000000000000 0x0000000000000000
0x405780: 0x0000000000000000 0x0000000000000000
-----------------------forth-------------------------
0x405790: 0x0000000000000000 0x0000000000000051
0x4057a0: 0x4444444444444444 0x000000000000000a
0x4057b0: 0x0000000000000000 0x0000000000000000
0x4057c0: 0x0000000000000000 0x0000000000000000
0x4057d0: 0x0000000000000000 0x0000000000000000
-----------------------------------------------------
0x4057e0: 0x0000000000000000 0x0000000000020821
0x4057f0: 0x0000000000000000 0x0000000000000000
```
I was understanding how it works... then I `delete`ed 2 and 3 and 4: (Do you remember the vulnerability? we still access to each of pointers of deleted URLs.)
```
-----------------------first-------------------------
0x4056a0: 0x0000000000000000 0x0000000000000051
0x4056b0: 0x4141414141414141 0x000000000000000a
0x4056c0: 0x0000000000000000 0x0000000000000000
0x4056d0: 0x0000000000000000 0x0000000000000000
0x4056e0: 0x0000000000000000 0x0000000000000000
----------------------second-------------------------
0x4056f0: 0x0000000000000000 0x0000000000000051
0x405700: 0x0000000000000000<-- 0x0000000000405010
0x405710: 0x0000000000000000 | 0x0000000000000000
0x405720: 0x0000000000000000 | 0x0000000000000000
0x405730: 0x0000000000000000 | 0x0000000000000000
---------------------third-------|-------------------
0x405740: 0x0000000000000000 | 0x0000000000000051
0x405750: -->0x0000000000405700--- 0x0000000000405010
0x405760: | 0x0000000000000000 0x0000000000000000
0x405770: | 0x0000000000000000 0x0000000000000000
0x405780: | 0x0000000000000000 0x0000000000000000
----------|------------forth-------------------------
0x405790: | 0x0000000000000000 0x0000000000000051
0x4057a0: ---0x0000000000405750 0x0000000000405010
0x4057b0: 0x0000000000000000 0x0000000000000000
0x4057c0: 0x0000000000000000 0x0000000000000000
0x4057d0: 0x0000000000000000 0x0000000000000000
-----------------------------------------------------
0x4057e0: 0x0000000000000000 0x0000000000020821
0x4057f0: 0x0000000000000000 0x0000000000000000
```
Now lets add 2 URLs and edit them to some specific values:
```
-----------------------first-------------------------
0x4056a0: 0x0000000000000000 0x0000000000000051
0x4056b0: 0x4141414141414141 0x000000000000000a
0x4056c0: 0x0000000000000000 0x0000000000000000
0x4056d0: 0x0000000000000000 0x0000000000000000
0x4056e0: 0x0000000000000000 0x0000000000000000
----------------------second-------------------------
0x4056f0: 0x0000000000000000 0x0000000000000051
0x405700: 0x0000000000000000 0x0000000000405010
0x405710: 0x0000000000000000 0x0000000000000000
0x405720: 0x0000000000000000 0x0000000000000000
0x405730: 0x0000000000000000 0x0000000000000000
-----------------------third-------------------------
0x405740: 0x0000000000000000 0x0000000000000051
0x405750: 0x3131313131313131 0x000000000000000a
0x405760: 0x0000000000000000 0x0000000000000000
0x405770: 0x0000000000000000 0x0000000000000000
0x405780: 0x0000000000000000 0x0000000000000000
-----------------------forth-------------------------
0x405790: 0x0000000000000000 0x0000000000000051
0x4057a0: 0x3030303030303030 0x000000000000000a
0x4057b0: 0x0000000000000000 0x0000000000000000
0x4057c0: 0x0000000000000000 0x0000000000000000
0x4057d0: 0x0000000000000000 0x0000000000000000
-----------------------------------------------------
0x4057e0: 0x0000000000000000 0x0000000000020821
0x4057f0: 0x0000000000000000 0x0000000000000000
```
Awesome! Did you get it?! The last `new` I used, caused an allocation on the same address that forth URL was pointing to. (`0x4057a0` value was `0x405750` and the last allocation was on the former address.)

#### Idea
I need to repeat the same inputs. But before the last step (`new` two times) `edit` the forth URL and set its value to whatever address that I want to control.

Which address I wanna control?! :thinking:

* What about Global Offset Table (GOT)? But RelRO is fully activated: (I haven't access to write in the .got section!)
```
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : FULL
```

#### Bypass Full RelRO
I searched and found the `__free_hook` solution. There is some global variables that is of function pointer type. ([read more](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html))

I need to rewrite the value of one of them. `__free_hook` is a good choice because when I do `delete` the first argument of `free` function is of type `char*`. It's like `system` function. So I can change free hook value to `system` address.

But there is another problem named ASLR! :dizzy_face:
I don't know the address of `__free_hook`!!

#### Bypass ASLR
I should leak an address from LIBC to bypass this &%*#$ :shit:!

If I can make some of the `urls` (that is `char*`) point to one of the records of GOT, I can then use `list` to print that address (that is a specific address of LIBC).

Now I have all the puzzle pieces. Lets put them together.

### Exploit Time
I used `add` three time at the first step and `remove` two times at the second step for smaller exploit code.

I think there are enough comments on the code:
[exploit.py](./exploit.py)

### Flag
I got the bash. there was a `flag.txt` file. cat it!
And this is the flag:
```
nactf{d0nt_us3_4ft3r_fr33_zsouEFF4bfCI5eew}
```

Original writeup (https://github.com/ternary-bits/CTF-Challenges/blob/master/pwn/2020-nactf-cttt/WRITEUP.md).