Differences

This shows you the differences between two versions of the page.

Link to this comparison view

sesiuni:memory:ctf_sols:gatekeeper [2013/07/19 04:24] (current)
rcaragea created
Line 1: Line 1:
 +== Gatekeeper==
 +This set of tasks requires you to enter a password in order to print the flag for the next level, but there'​s a catch: you don't enter a password, you need to enter a memory address ​
 +=== Gatekeeper_01 ===
 +We know that the address given is checked against the contents in secret_pass[] so we can make it check against itself. secret_pass[] is a global variable so we can find out its address using '​nm'​.
 +<code bash>
 +gatekeeper_01@dmns-VirtualBox:​~$ nm gatekeeper_01 | grep secret_pass
 +0804a008 D secret_pass
 +gatekeeper_01@dmns-VirtualBox:​~$ ./​gatekeeper_01
 +Welcome to <<​Gate 1>> human, what is your name?
 +Robot
 +What is the passphrase Robot? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +0x0804a008
 +Checking contents of 0x804a008
 +Access granted! The password to gatekeeper_02 is:
 +657a609fb15bfb8aa11d4566143e11eb
 +</​code>​
 +
 +=== Gatekeeper_02 ===
 +This one is more problematic because you need to give it an address of a buffer where the password is stored in reverse order so you can't use the previous trick.
 +However, there is still something that we control: the name buffer. It's a global variable like before so we could just use '​nm'​ to find its address and enter the password in reverse order there.
 +<code bash>
 +gatekeeper_02@dmns-VirtualBox:​~$ nm gatekeeper_02 | grep name
 +0804a024 B name
 +gatekeeper_02@dmns-VirtualBox:​~$ python
 +>>>​ "​ultra_secret_passw0rd"​[::​-1]
 +'​dr0wssap_terces_artlu'​
 +gatekeeper_02@dmns-VirtualBox:​~$ ./​gatekeeper_02
 +Welcome to <<​Gate 2>> human, what is your name?
 +dr0wssap_terces_artlu
 +What is the passphrase dr0wssap_terces_artlu?​ Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +But this time, the passphrase should be stored in reverse order at that address!
 +0x0804a024
 +Checking contents of 0x804a024
 +Access granted! The password to gatekeeper_03 is:
 +d7e3fb11c279ca1eb7df1039880f20f5
 +</​code>​
 +
 +=== Gatekeeper_03 ===
 +This was a bonus challenge with increased difficulty because there is seemingly no possible input from the user except for the actual address. The hint was: "what happens before main() is called?"​ and the answer is that even though main is not specified with argc, argv and envp arguments at compilation time, these are still present on the stack. This leads to three slightly different solutions, each being solvable with gdb or with a local recompilation.
 +**Recompilation method**: although you can't modify the original binary you can make a copy for yourself and add extra printf() calls:
 +<code c>
 ++ int main(int argc, char **argv)
 +{
 +        char addr_buf[11];​
 +        unsigned long addr = 0;
 +
 +        char *addr_ptr = NULL;
 +        int i, len = strlen(secret_pass);​
 ++       ​printf("​Address of argv[0] is %p\n", argv[0]);
 ++       ​printf("​Address of argv[1] is %p\n", argv[1]);
 ++       ​printf("​Address of PASS env var is %p\n", getenv("​PASS"​));​
 +        printf("​Welcome to " TERM_GREEN "<<​Gate 3>>"​ TERM_RESET " human, I know your name from last time\n"​);​
 +</​code>​
 +
 +<code bash>
 +gatekeeper_03@dmns-VirtualBox:​~$ gcc -Wall gatekeeper_03_mod.c -o my_gatekeeper_03 -m32
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​my_gatekeeper_03 ​
 +Address of argv[0] is 0xffffd872
 +Address of argv[1] is (nil)
 +Address of PASS env var is (nil)
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +</​code>​
 +Ok, so let's solve it using argv[1]:
 +<code bash>
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​my_gatekeeper_03 dr0wssap_terces_agem
 +Address of argv[0] is 0xffffd85d
 +Address of argv[1] is 0xffffd870
 +Address of PASS env var is (nil)
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​gatekeeper_03 dr0wssap_terces_agem
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd870
 +Checking contents of 0xffffd870
 +Wrong!The content there is [er_03]
 +#Note that there is a minor address difference because of using another binary
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​gatekeeper_03 dr0wssap_terces_agem
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd876
 +Checking contents of 0xffffd876
 +Access granted! The final password is:
 +1baaf32f105ba8765de805abe47df0dd
 +</​code>​
 +Now, let's use an environment variable:
 +<code bash>
 +gatekeeper_03@dmns-VirtualBox:​~$ PASS=dr0wssap_terces_agem ./​my_gatekeeper_03 ​
 +Address of argv[0] is 0xffffd858
 +Address of argv[1] is (nil)
 +Address of PASS env var is 0xffffd870
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +gatekeeper_03@dmns-VirtualBox:​~$ PASS=dr0wssap_terces_agem ./​gatekeeper_03 ​
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd870
 +Checking contents of 0xffffd870
 +Wrong!The content there is []
 +#Oops, the misalignment landed right into a string terminator, let's check from the next byte
 +gatekeeper_03@dmns-VirtualBox:​~$ PASS=dr0wssap_terces_agem ./​gatekeeper_03 ​
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd871
 +Checking contents of 0xffffd871
 +Wrong!The content there is [PASS=dr0wssap_terces_agem]
 +gatekeeper_03@dmns-VirtualBox:​~$ PASS=dr0wssap_terces_agem ./​gatekeeper_03 ​
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd876
 +Checking contents of 0xffffd876
 +Access granted! The final password is:
 +1baaf32f105ba8765de805abe47df0dd
 +</​code>​
 +Last solution implies changing argv[0] itself. This is my favorite solution:
 +<code bash>
 +gatekeeper_03@dmns-VirtualBox:​~$ ln -s my_gatekeeper_03 dr0wssap_terces_agem
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​dr0wssap_terces_agem ​
 +Address of argv[0] is 0xffffd866
 +Address of argv[1] is (nil)
 +Address of PASS env var is (nil)
 +gatekeeper_03@dmns-VirtualBox:​~$ rm dr0wssap_terces_agem ​
 +gatekeeper_03@dmns-VirtualBox:​~$ ln -s gatekeeper_03 dr0wssap_terces_agem
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​dr0wssap_terces_agem ​
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd866
 +Checking contents of 0xffffd866
 +Wrong!The content there is [./​dr0wssap_terces_agem]
 +gatekeeper_03@dmns-VirtualBox:​~$ ./​dr0wssap_terces_agem ​
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd868
 +Checking contents of 0xffffd868
 +Access granted! The final password is:
 +1baaf32f105ba8765de805abe47df0dd
 +</​code>​
 +
 +
 +**Gdb method**: Basically the same approach after finding out the correct addresses in a controlled setup
 +<code bash>
 +gatekeeper_03@dmns-VirtualBox:​~$ gdb ./​gatekeeper_03
 +Reading symbols from /​home/​gatekeeper_03/​gatekeeper_03...done.
 +(gdb) break *main
 +Breakpoint 1 at 0x80485ec: file gatekeeper_03.c,​ line 19.
 +(gdb) run dr0wssap_terces_agem
 +Starting program: /​home/​gatekeeper_03/​gatekeeper_03 dr0wssap_terces_agem
 +
 +Breakpoint 1, main () at gatekeeper_03.c:​19
 +19 {
 +#arguments start at the next word after the current stack pointer => $sp + 4
 +(gdb) x /8wx $sp+4
 +0xffffd680:​ 0x00000002 0xffffd714 0xffffd720 0xf7fda858
 +0xffffd690:​ 0x00000000 0xffffd71c 0xffffd720 0xf7fb81c8
 +#0x00000002 is argc
 +#0xffffd714 is argv
 +#0xffffd720 is envp
 +(gdb) x /2s *0xffffd714
 +0xffffd840:​ "/​home/​gatekeeper_03/​gatekeeper_03"​
 +0xffffd862:​ "​dr0wssap_terces_agem"​
 +(gdb) x /2s *0xffffd720
 +0xffffd877:​ "​SHELL=/​bin/​bash"​
 +0xffffd887:​ "​TERM=xterm"​
 +(gdb) quit
 +#note that gdb starts a process using absolute path
 +gatekeeper_03@dmns-VirtualBox:​~$ /​home/​gatekeeper_03/​gatekeeper_03 dr0wssap_terces_agem
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd862 ​
 +Checking contents of 0xffffd862
 +Wrong!The content there is [agem]
 +gatekeeper_03@dmns-VirtualBox:​~$ /​home/​gatekeeper_03/​gatekeeper_03 dr0wssap_terces_agem
 +Welcome to <<​Gate 3>> human, I know your name from last time
 +What is the passphrase? Give me a memory address of where it is and you shall be granted access
 +Enter the address in hex like so: 0x123ABC
 +Like last time, the passphrase should be stored in reverse order at that address!
 +0xffffd852
 +Checking contents of 0xffffd852
 +Access granted! The final password is:
 +1baaf32f105ba8765de805abe47df0dd
 +</​code>​
  
sesiuni/memory/ctf_sols/gatekeeper.txt · Last modified: 2013/07/19 04:24 by rcaragea