28
Apr
2014

PlaidCTF 2014 – tenement [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has tried to make things easy for you in this service, but not too easy. He’s called The Plague, not The Nice Guy. The service should be running at 54.235.7.236:9999.

Tenement is a remote pwnable – it’s a normal x86 binary.

Upon initialization it loads a json file, using libjansson, which contains the flag and an array with memory addresses. The flow goes like this:

  1. The flag is first copied to a malloc’d buffer, prefixed with “PPPP:”
  2. a random memory address is picked from the json’s array mentioned earlier
  3. mmap() is called using this picked address as starting address
  4. the “PPPP:<flag>” buffer is copied over there, and the memory protection is set to PROT_READ
  5. finally, the malloc’d buffer and the stack is “cleaned” (memset) and the json objects “deleted”

{Read More}

21
Apr
2014

PlaidCTF 2014 – harry_potter [300]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The harry_potter pwnable is a network service that does not appear to do a whole lot:

$ nc 54.198.150.4 666
If you guess the password, I will give you a reward!

Running the binary in strace shows what is going on:
{Read More}