BSides Canberra 2018 CTF Write-Up: Softcover Walk

This is a write-up of the Softcover Walk challenge from the BSides Canberra 2018 CTF. This challenge was worth 300 points.

Description

Walk softly over to the edge and peak over to the flag.

The challenge contained the above message, as well as an SSH address:

ssh://peasant.libctf.so

Looking around a bit, we found a challenges directory in the root folder that contains a folder for each challenge.

There are two files inside the softcover_walk folder, flag.txt and challenge. Experimenting with the challenge file a bit, we can see that this challenge requires a buffer overflow exploit.

The Hack

The first step in making this challenge easier to work with is to copy the file to our computer. We can use scp (Secure CoPy) to accomplish this.

scp CodeCadetsDelta@peasant.libctf.so:/challenges/softcover_walk/challenge/root/Desktop

We then used this simple starter template for the buffer overflow. It’s a Python script that allows us to pass in the name of the file and then sets up a very useful debugging environment. These tools need to be installed for it to work:

import pwn
pwn.context.terminal = [‘tmux’,’splitw’,’-h’]
name = ‘test’
p = pwn.gdb.debug([‘./challenge’,name], ‘’)
p.interactive()

When running this python script inside tmux, we got this window:

We could then use various debugger commands to control the execution of this program.

Our next step was to see what happens when we send, let’s say, 600 of the letter A to the program. We’ll change line 4 to:

name = ‘A’ * 600

We can see that the program has stopped on ret and is trying to return into an address that we have overflowed into. To figure out at what point we overflow into the register (the buffer), we can use PwnTools cyclic method. This will create a pattern where every four letters is unique. We change line 4 to: name = pwn.cyclic(600).

We find that the first four characters in the overflow are ‘acpa’. Using pwn.cyclic_find(‘acpa’), we find that the buffer length is 258.

Next, we have to find out what to overflow into the buffer. This is usually the hardest part of a buffer overflow, but in this case, it was easy. The code has a read_flag function. If we can overwrite the address of this function into the return pointer, we can make the program go “back” to the read_flagfunction.

Finding the address of the function is outside the scope of this tutorial, but the tool we used was IDA Pro.The address was:

0x0000000000400696

The next part of this challenge created a very big problem. We tried putting this value at the end of the buffer, but then realised that it wouldn’t work because it is impossible to send the “null bytes” (00). Luckily, we realised that the bytes are stored in reverse. This meant that we only needed to overwrite the “96” byte, the “06” byte and the “40” byte. The rest of the null bytes do not need to be overwritten as they are the same when the program runs normally. We now change line 4 to the following:

name = ‘A’ * 258 + ‘\x96\x06\x40’

All we needed to do then was upload our file to the server and run it there — and the flag was returned! The server already has the tools that we used installed, making it easier to run the exploit.

A big thank you to the CTF organisers — Elttam — for this great challenge.