heapsoffun

DEFCON QUALS CTF PWN Challenge: 4pts

Challenge Description:

"If you have been knockedup then you know what to do. Perhaps try "tirer"
sha1sum heapsoffun:5ee5b2cde811e617cd789c73c1d8d2d9e8b27c36"

The challenge could only be solved after solving "knockedupd" and retrieving the binary from the server. It was a heap exploitation challenge and to goal was to get a remote shell. Once you got sytem() to execute "/bin/sh", however, you discover that the flag was owned by root! Luckily, a suspicious knockd.conf file, located in the same directory, could be read to get specific udp ports. Using the knockedupd script from the first challenge, you could knock on these ports and get the flag.

Material:

Solution:

Find a way to exploit the indexing done by the data storage program, leak addresses, overwrite a function in the GOT table and execute system('/bin/sh')
(Python script to get system("/bin/sh") executed on the server, the matching libc used to calculate offsets and the binary of the server to pwn linked at the bottom.)

            1) Solve "knockedupd" and kock (using udp) at ports: 18547, 8846, 24467, then netcat to 52.5.150.223 at port 13495 to get a "shell" interface.

            2) Following the hint for the challenge, enter "tirer" in the shell and receive the server binary.

            3) Reverse the binary (IDA/gdb) to see which commands store data blocks to and retreive data blocks from the heap.

            4) Using a vulnerability resulting from the use of atoi(), overwrite a data blocks metadata.

            5) Call this data block from the heap using a different command to leak text addresses.

            6) Repeat this leaking process but with an offset of the text address to leak the GOT address.

            7) Using the option to update a data block on the heap and the same atoi() vulnerability, overwrite "memcmp()" in the GOT to "system()".

            8) Find an option in the program allowing the user to call the overwritten function with user input string of "/bin/sh"

            9) Using the remote shell, cd into the challenge folder and realize the flag is owned by root.

            10) Open the conf file also stored in the same directory and note the udp ports and netcat port (as in "knockedupd").

            11) Using the script from "knockedupd", knock at the new ports (the service then adds a new rule to the IP tables)

            12) Connect to the port specified in this new conf file as added to the IP tables. Receive the flag!

Detailed steps to flag:

Flag:

Binaries & Scripts:

SERVER (Patched out Timer)

CLIENT

LIBC.SO.6

Interesting Things:

Initially, instead of using the vulnerability to overwrite a GOT address to call system on user input, we tried to use eip to jump to a one gadget win.
Referenced here: Dragon Sector RCE as they had the same libc as the one found in the challenge.

Unfortunately this didn't work :D