[PWN] DeadsecCTF 2024 - User Management Challenge

-
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)



User Management

it is a format string challenge, let's start it.

First, our menu contains the following



after reversing the binary with Ghidra and trying the options we know that there is a Format String in the view description and we can hit it when we create a new user and login with it but to create a user we have to login as admin first and the admin password is random :-).

with some static/dynamic analysis, we know that there something weird with the admin login function



it reads 21 bytes and it just needs 12 ;-) so we have a trigger here if we check the address (DAT_555555559340) it is close to the address of the password on (DAT_555555559350) and we have an overflow on the first address so we can overwrite the password.

When we overwrite the password with the following payload we will get the "strncmp" check for the username and we can get it





after logging in with admin we can hit the Format String vulnerability, but we have a forbidden char "$" so we can not use it in our payload.



Let's leak the needed addresses and calcualte the offset and the offset is 6 as we can see in the following screenshot.


so now we can overwrite the RIP using the format string and control it to do what we want ;-), the following is the failed ROP chain.



I tried to do an ROP chain but did not work (the length of payload), but the one gadget works with me because we have the libc file, the first one works with me.


the following is the payload that I used to write into the RIP, I used the option "no_dollars" in pwntools (note that if you are learning and new to this try to do it manually and when you understand it use the automation to make it easy for CTFs).


and we got our shell.

Thank you for reading this ;-)


عن تميم بن أوس رضي الله عنه ، أن النبي صلى الله عليه وسلم قال : ( الدين النصيحة ، قلنا : لمن يا رسول الله ؟ قال : لله ، ولكتابه ، ولرسوله ، ولأئمة المسلمين وعامتهم ) رواه البخاري ومسلم .

Comments

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything...
Read more