CTFtime.org / LA CTF 2023 / ctfd-plus / Writeup

entry point looks like:

```C
undefined8 entry(void)

{
char correct_flag_char;
size_t sVar1;
long n;
undefined4 *puVar2;
char input_flag [256];

puts("Welcome to CTFd+!");
puts("So far, we only have one challenge, which is one more than the number of databases we have.\n");
puts("Very Doable Pwn - 500 points, 0 solves");
puts("Can you help me pwn this program?");
puts("#include <stdio.h>\nint main(void) {\n puts(\"Bye!\");\n return 0;\n}\n");
puts("Enter the flag:");
fgets(input_flag,0x100,stdin);
sVar1 = strcspn(input_flag,"\n");
n = 0;
puVar2 = &DAT_00104060;
input_flag[sVar1] = '\0';
do {
correct_flag_char = whatever(puVar2[n]);
if (correct_flag_char != input_flag[n]) {
puts("Incorrect flag.");
return 0;
}
n = n + 1;
} while (n != 0x2f);
puts("You got the flag! Unfortunately we don\'t exactly have a database to store the solve in...");
return 0;
}
```

we can patch the binary so this is never taken:

```C
if (correct_flag_char != input_flag[n]) {
puts("Incorrect flag.");
return 0;
}
````

by changing JZ to JMP:

```
00101106 e8 25 01 00 00 CALL whatever undefined whatever()
0010110b 3a 04 33 CMP correct_flag_char,byte ptr [RBX + n*0x1]=>input_flag
HERE 0010110e 74 e8 JZ LAB_001010f8
00101110 48 8d 3d 11 0f 00 00 LEA RDI,[s_Incorrect_flag._00102028] = "Incorrect flag."
00101117 e8 14 ff ff ff CALL <EXTERNAL>::puts int puts(char * __s)
```
```python
data = bytearray(open("ctfd_plus", "rb").read())
data[0x110e] = 0xeb # jz -> jmp
open("ctfd_patched", "wb").write(data)
```

prepare gbd script to dump `AL` register after the `whatever` function call (AL will contains the correct flag chr):
```python
import gdb

def read_reg(reg):
return gdb.parse_and_eval("${}".format(reg))

def gdb_continue():
gdb.execute('continue')

gdb.execute('break *0x000055555555510b') # fix addr
flag = ''
while 1:
gdb.execute("continue")
bla = int(read_reg('al'))
flag += chr(bla)
print(flag)
```

then run it on patched binary:

```
% gdb ./ctfd_patched
pwndbg> starti
pwndbg> source gggdb.py
Breakpoint 1 at 0x55555555510b
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to CTFd+!
So far, we only have one challenge, which is one more than the number of databases we have.

Very Doable Pwn - 500 points, 0 solves
Can you help me pwn this program?
#include <stdio.h>
int main(void) {
puts("Bye!");
return 0;
}

Enter the flag:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, 0x000055555555510b in ?? ()
l

Breakpoint 1, 0x000055555555510b in ?? ()
la

Breakpoint 1, 0x000055555555510b in ?? ()
lac
///
Breakpoint 1, 0x000055555555510b in ?? ()
lactf{m4yb3_th3r3_1s_s0m3_m3r1t_t0_us1ng_4_d

Breakpoint 1, 0x000055555555510b in ?? ()
lactf{m4yb3_th3r3_1s_s0m3_m3r1t_t0_us1ng_4_db

Breakpoint 1, 0x000055555555510b in ?? ()
lactf{m4yb3_th3r3_1s_s0m3_m3r1t_t0_us1ng_4_db}
```

ctfd-plus

Comments

Sign in with