pwnfreemedium

Brick City Office Space

umasscybersec

Task: a 32-bit service printed user input directly with printf and exposed two format-string sinks in a loop. Solution: leak puts from the GOT to recover libc, overwrite printf@got with system, then trigger the second sink with `cat flag.txt`.

$ ls tags/ techniques/

format_string got_overwrite libc_leak no_pie printf i386 no_relro

libc_leak_via_gotformat_string_offset_discoveryfmtstr_got_overwriteprintf_to_system_hijack

Brick City Office Space — UMass Cybersecurity CTF

Description

"We're using a new %format for the TPS reports. Did you get my memo?"

English summary: the service asks for an office design string and later asks whether you want to redesign. User-controlled data is printed with printf without a format string, giving a format string vulnerability that can be used to leak libc and overwrite the GOT.

Service:

nc brick-city-office-space.pwn.ctf.umasscybersec.org 45001

Analysis

The binary is a 32-bit ELF (i386), dynamically linked, and not stripped.

checksec showed:

RELRO:    No RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE

These properties are ideal for a classic GOT overwrite:

No RELRO means GOT entries stay writable.
No PIE means code and GOT addresses are fixed.
NX enabled pushes the exploit toward code-reuse / libc reuse instead of shellcode.

Important addresses from the binary:

vuln       = 0x80491d6
main       = 0x80493db
puts@got   = 0x804bbbc
printf@got = 0x804bbb0

Important offsets from the provided libc.so.6:

puts   = 0x732a0
system = 0x48170

The stack offset for our format string was 4. A probe such as AAAA.%1$p.%2$p.%3$p.%4$p revealed 0x41414141 at %4$p, so attacker-controlled bytes placed at the start of the input are read as the 4th format argument.

Vulnerability

The real bug is a format string vulnerability: user input is passed directly to printf.

There are two useful printf(user_input) paths inside vuln():

The program prints the submitted office design.
If the redesign answer is not y or n, it enters a This is what you said: branch and prints that invalid response with printf(buffer).

That gives two separate stages in one execution:

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]