Follow me on Instagram


Back to Top
Image Alt

Google CTF 2019 // #05-1 STOP GAN (bof)

Writeup Series

Google CTF 2019 // #05-1 STOP GAN (bof)

Success, you’ve gotten the picture of your lost love, not knowing that pictures and the things you take pictures of are generally two seperate things, you think you’ve rescue them and their brethren by downloading them all to your ships hard drive. They’re still being eaten, but this is a fact that has escaped you entirely. Your thoughts swiftly shift to revenge. It’s important now to stop this program from destroying these “Cauliflowers” as they’re referred to, ever again. 1337

Once again, we were given a server address with a port and an attachment zip containing two files.

  • -rw-r–r–@ 1 maya staff 661K Nov 30 1979 bof
  • -rw-r–r–@ 1 maya staff 1.1K Nov 30 1979 console.c

Doing a quick file check on bof reveals it to be a MIPS ELF 32-bit executable.

Let’s try to connect to the server above first.

Seems like we’re supposed to crash the server. Opening up console.c reveals to us that it seems to tbe the script that’s running on the server itself. All input gets routed through the bof file.

Time to fire up Ghidra and reverse engineer the bof file. Luckily Ghidra supports MIPS architecture.

From the decompiled code, we can see that the max available size for our input is 260 bytes and the incorrect use of scanf leads to the buffer overflow that we’re trying to create to crash the system.

Now, the fastest way to send more than 260 bytes across to the server short of typing the character A more than 260 times is to use a quick python script.

python -c 'print "run\n" + "A"*300' | nc -v 1337

This will make use the python to enter run followed by 270 As which will cause the buffer overflow.

There we go, we got the flag. Now moving on to the bonus flag. We are supposed to do a controlled crash. Doing a quick search of the bof file for the word flag yielded a couple results.

The local_flag function seems promising. Let’s try to land ourselves near that marker.

After multiple trial and errors, we will realize that that crash happens after the 264th A. So let’s do a quick python again.

python -c 'print "run\n" + "A"*(264)+"\x50\x08\x40\x00"' | nc -v 1337

And finally, we got the bonus flag too.

Post a Comment