Starting place

PWN EASY - 346

Description

I like storing passwords in files.

ASLR is off on the server.

We are being given a .out executable file for download, so we do and also a server to connect to, but I'm guessing that's just the same file running, so first we can give executable permissions to the file

chmod +x starting_place.out

Then execute it

./starting_place.out

Hi! would you like see the current directory?
yes
Ok 

example1 example2.txt example3.zip

The program first prints "Hi! would you like see the current directory?" and then waits for us to input something, then prints the directory, but what happens if we say no?

./starting_place.out

Hi! would you like see the current directory?
no
Ok 

example1 example2.txt example3.zip

Weird enough, it still lists it out, let's decompile the executable using Ghidra

Decompiled program

Now that we decompiled we can see what the program is doing and identify the vulnerability, so first it initializes a variable that will later be used for comparing the input, then the input_buff variable, for which it allocates 12 bytes on stack, which probably means that we will have to do some kind of buffer overflow, but let's not get ahead of ourselves yet, then it declares 3 more variables that aren't very clear, and are probably used for standard things, not necessarily specific to this challenge. Note: the 2 variables that don't have random names are manually renamed.

Now let's actually get into the main part of the code, the program starts by printing out "Hi! would you like see the current directory?" as expected, then we can see the vulnerability, the "read()" function allows more than 12 bytes to be stored in the "input_buff" variable, which is the amount of bytes allocated for that variable by the program, so we can conclude that the program has a buffer overflow vulnerability.

Now let's see what happens when we feed the program with more than 12 bytes of data

/starting_place.out

Hi! would you like see the current directory?
123456789123hi
Ok 

sh: 1: hi: not found
sh: 2: ����xF��PK��: not found

Interesting, so everything after the 12th character gets executed as a shell command, we could have also probably deducted that from the source code because we can see there is a "system()" function call there, so what if we actually try to give it a command to print the flag?

./starting_place.out
                                          
Hi! would you like see the current directory?
123456789123cat flag.txt
Ok 

bucketctf{fake_fl@g_because_instances_dont_work}
sh: 2: ���: not found

Looks like it worked! We successfully got the flag using a buffer overflow vulnerability.