[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
--2021-03-07 13:24:34-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow [following]
--2021-03-07 13:24:35-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21112 (21K) [application/octet-stream]
Saving to: ‘tuxtalkshow’
tuxtalkshow 100%[================================================================>] 20.62K --.-KB/s in 0.003s
2021-03-07 13:24:35 (5.81 MB/s) - ‘tuxtalkshow’ saved [21112/21112]
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ file tuxtalkshow
tuxtalkshow: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8c0d2b94392e01fecb4b54999cc8afe6fa99653d, for GNU/Linux 3.2.0, not stripped
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ chmod +x tuxtalkshow
First let's run pwn checksec on the binary file before executing it to see what it does:
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ pwn checksec tuxtalkshow
[*] '/home/nothing/binexp/3/tux/tuxtalkshow'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./tuxtalkshow
Welcome to Tux Talk Show 2019!!!
Enter your lucky number: 13371337
So here we have a 64bit binary with PIE enabled. When we run it it prompts us for a number. So let's check it out from inside of ghidra:
And here we get a gigantic main function:
undefined8 main(void)
{
int iVar1;
time_t tVar2;
basic_ostream *pbVar3;
long in_FS_OFFSET;
int local_290;
int local_28c;
int local_288;
int local_284;
undefined4 local_280;
undefined4 local_27c;
undefined4 local_278;
undefined4 local_274;
undefined4 local_270;
undefined4 local_26c;
int local_268 [8];
basic_string local_248 [32];
basic_istream local_228 [520];
long local_20;
local_20 = *(long *)(in_FS_OFFSET + 0x28);
std::basic_ifstream>::basic_ifstream((char *)local_228,0x1020b0);
tVar2 = time((time_t *)0x0);
srand((uint)tVar2);
/* try { // try from 0010127e to 001012c0 has its CatchHandler @ 00101493 */
pbVar3 = std::operator<<((basic_ostream *)std::cout,"Welcome to Tux Talk Show 2019!!!");
std::basic_ostream>::operator<<
((basic_ostream> *)pbVar3,
std::endl>);
std::operator<<((basic_ostream *)std::cout,"Enter your lucky number: ");
std::basic_istream>::operator>>
((basic_istream> *)std::cin,&local_290);
local_280 = 0x79;
local_27c = 0x12c97f;
local_278 = 0x135f0f8;
local_274 = 0x74acbc6;
local_270 = 0x56c614e;
local_26c = 0xffffffe2;
local_268[0] = 0x79;
local_268[1] = 0x12c97f;
local_268[2] = 0x135f0f8;
local_268[3] = 0x74acbc6;
local_268[4] = 0x56c614e;
local_268[5] = 0xffffffe2;
local_28c = 0;
while (local_28c < 6) {
iVar1 = rand();
local_268[local_28c] = local_268[local_28c] - (iVar1 % 10 + -1);
local_28c = local_28c + 1;
}
local_288 = 0;
local_284 = 0;
while (local_284 < 6) {
local_288 = local_288 + local_268[local_284];
local_284 = local_284 + 1;
}
if (local_288 == local_290) {
std::__cxx11::basic_string,std::allocator>::basic_string();
/* try { // try from 00101419 to 00101448 has its CatchHandler @ 0010147f */
std::operator>>(local_228,local_248);
pbVar3 = std::operator<<((basic_ostream *)std::cout,local_248);
std::basic_ostream>::operator<<
((basic_ostream> *)pbVar3,
std::endl>);
std::__cxx11::basic_string,std::allocator>::~basic_string
((basic_string,std::allocator> *)local_248);
}
std::basic_ifstream>::~basic_ifstream
((basic_ifstream> *)local_228);
if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
Here we cansee that it starts off by scanning the contents of flag.txt and saves it into local_228. Then it initialized an integer array with size entries, although the decompilation only shows 4. So let's look at the assembly code:
001012bc e8 8f fd CALL operator>> undefined operator>>(basic_istre
ff ff
} // end try from 0010127e to 001012c0
001012c1 c7 85 88 MOV dword ptr [RBP + local_280],0x79
fd ff ff
79 00 00 00
001012cb c7 85 8c MOV dword ptr [RBP + local_27c],0x12c97f
fd ff ff
7f c9 12 00
001012d5 c7 85 90 MOV dword ptr [RBP + local_278],0x135f0f8
fd ff ff
f8 f0 35 01
001012df c7 85 94 MOV dword ptr [RBP + local_274],0x74acbc6
fd ff ff
c6 cb 4a 07
001012e9 c7 85 98 MOV dword ptr [RBP + local_270],0x56c614e
fd ff ff
4e 61 6c 05
001012f3 c7 85 9c MOV dword ptr [RBP + local_26c],0xffffffe2
fd ff ff
e2 ff ff ff
We also see that it uses time as a seed. It performs an algorithm where it will generate random numbers by using time a sa seed to edit the values of array, and then it accumulate all of those values to end up with the number we are supposed to guess. Since the rand function is directly based off of the seed, and since the seed is the time, we know what the values the rand function will output, and thus end up with the following C program:
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ vim exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <time.h>
int main()
{
int array[6];
int i, output;
uint32_t randVal, ans;
srand(time(0));
i = 0;
array[0] = 0x79;
array[1] = 0x12c97f;
array[2] = 0x135f0f8;
array[3] = 0x74acbc6;
array[4] = 0x56c614e;
array[5] = 0xffffffe2;
while (i < 6)
{
randVal = rand();
array[i] = array[i] - ((randVal % 10) - 1);
i += 1;
}
i = 0;
output = 0;
while (i < 6)
{
output = output + array[i];
i += 1;
}
printf("%d\n", output);
}
Then we compile our C code:
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ gcc exploit.c -o exploit
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./exploit
let's try it on the binary file:
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./exploit
234874834
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./exploit
234874839
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./exploit
234874828
[ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
→ ./exploit | ./tuxtalkshow
Welcome to Tux Talk Show 2019!!!
Enter your lucky number: flag{g0tt3m_boyz}
And that's it ! We have been able to print out the flag.
text
text