printf("Hello World!");

『pwnable.kr』 passcode Problem solving

작성일 Edited on In , ,
미리보기 방지




Right So,
I suppose I’ll just crack on with this,then.


미리보기 방지


미리보기 방지

Screenshot. 1

Mommy told me to make a passcode based login system.

My initial C code was compiled without any error!

Well, there was some compiler warning, but who cares about that?

Then,Let’s Just Connect Straight Away As Above.

1
ssh passcode@pwnable.kr -p2222 (pw:guest)
미리보기 방지

Screenshot. 2

Once Connected,You’d Then Use ls -l to
Check For Files.
And Upon Checking,You’ll Find:

flag

passecode

passecode.c

There Are Three Files In Total, You See.

미리보기 방지

Screenshot. 3

First off, if you run passcode

You Can See It Behaves As Shown Above.

Right,And Then With The cat Command

Let’s Have A Look At The passcode.c File.

미리보기 방지

Screenshot. 4

I know, rummaging through some decades-old

C language books at home,
and having a look at the code

it appears

there’s a function that takes input

I suppose it’s likely the login() function.

1
2
scanf("%d", passcode1);
scanf("%d", passcode2);

So, these two, I’d imagine

The input value isn’t being stored in passcode1

it’s not.

Rather, it’s being stored at an address that’s meant for passcode1.

it’s being stored.

So, for example, if passcode1=0x123死5678,

it seems the value we input would then be stored at the 0x123死5678 address.

it seems the value we input would then be stored.


Both variables likely contain dummy values as they haven’t been initialised

and given that the input value is then being stored at an address derived from that dummy value

well, that’s where the error crops up, isn’t it?

Right, then let’s have a look with gdb.

미리보기 방지 미리보기 방지 미리보기 방지

Screenshot. 4

First off, if you have a look at the ‘welcome’ function, it stores the input value at ebp-0x70

it stores the input value at ebp-0x70.

And then, with the login function, you’ll see:

미리보기 방지

Screenshot. 5

You can tell that ebp-0x10 is where passcode1 is located.

is located.

Now, welcome() receives 100 bytes of input, but

– \[ebp-0x10\] 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

So,one can in fact manipulate the ```passcode``` value



Right, then as we can insert the desired value at the address that is the value of 'passcode1'

we can therefore insert the desired value at the desired address

we can therefore insert the desired value



Following that, we simply change the GOT address of ```fflush()``` to the ```system()``` portion of ```login()```.

we simply change the ```system()``` address



So, then let's find the GOT address of ```fflush()``` and
the address of the ```system()``` portion of ```login()```

let's find the address of the ```system()```portion of ```login()```


<img src="https://luna0x03.github.io/PostImages/White%20Hacking/CTF/pwnable.kr/Passcode%20Problem%20Solving/11.png" alt="미리보기 방지" width="300" style="text-align: left;">


Screenshot. 6

The GOT address for ```fflush``` is ```0x0804a004```.


<img src="https://luna0x03.github.io/PostImages/White%20Hacking/CTF/pwnable.kr/Passcode%20Problem%20Solving/12.png" alt="미리보기 방지" width="300" style="text-align: left;">


Screenshot. 7

If you look at the beginning of 
the 'system' function

you can see it's ```0x080485e3```

then, if we construct the payload



It becomes ```dummy\[96\]+fflush()```s ```got\[4\]```

and ```system()``` ```\[4\]```



Now, ```system()\[4\]``` as ```scanf()``` receives integers here Is


we need to convert ```system()\[4\]``` to an integer and send it

we need to convert it to an integer and send it



```0x80485e3 = 134514147```

``` bash
(python -c 'print "D"*96 + "\x04\xa0\x04\x08"'; cat) | ./passcode
미리보기 방지

Screenshot. 8

And that’s how we snagged the key, you see.

And then, heading back to the initial page

미리보기 방지

Screenshot. 9

미리보기 방지

Screenshot. 10

You can confirm that 10 points were in fact, received upon mission completion

You can confirm that 10 points were received

미리보기 방지

Screenshot. 11

And then, a green dotted line indicates completion

it indicates completion.

Oh, and even upon completion, it seems one can repeatedly practice the same problem

it seems one can repeatedly practice it

Looks like it’s solvable, then, eh? ōxō

Looks like it’s solvable, then, eh? ōxō

미리보기 방지

Have a good day,
and I hope everything works out well for you

It’s quite warm out,
so do try and avoid getting heatstroke

And do take care with the erm,
Wuhan pneumonia situation

미리보기 방지