BitFriends's auth

Author:
BitFriends

Language:
C/C++

Upload:
2020-03-31 13:46

Download

Platform:
Unix/linux etc.

Difficulty:
3.3

Quality:
4.5

Arch:
x86-64

Downloads:
26

Size:
16.60 KB

Writeups:
4

Comments:
21

Description

Welcome to another crackme by me! Patching is not allowed. Good luck! --Infos-- Language: C ASLR: on Goal: "Right Password" --- Have fun!

Comments (21)
Writeups (4)

You must be logged in to post a comment

jeffli6789 on 2020-04-07 00:11: nice one! Need to exploit the vulnerability to solve it.

l0ma on 2020-04-09 14:49: Attention spoiler! Hi guys, as far as I have understand we have to use a buffer overflow in order to crack it. I'm new at this, could you give me a hint on how to use this exploit? thx

BitFriends on 2020-04-09 17:50: It is not exactly a buffer overflow

tim0tei on 2020-04-13 07:07: At first glance I thought to buffer overflow and redirect the the message-call. Unfortunately the 00-termination of strings made me fail with this attempt. Trying to exploit via a format string does not give me a clue where to attack. Any hints?

BitFriends on 2020-04-13 17:52: There is another vulnerability (which is the main vulnerability), but the format string vulnerability is also important.

tim0tei on 2020-04-15 18:27: Indeed I needed more than one exploitation for this. Nice challenge.

ano12 on 2020-04-20 11:03: There are just two vulns,

ano12 on 2020-04-20 11:04: It's easy

ano12 on 2020-04-20 11:06: I will post a writeup.

Heinzeen on 2020-04-22 09:33: =========Spoiler======== I am new to proper binary exploitation, and I can't figure out how to continue this challenge. I've seen that by inserting 104 random chars in the password I can overwrite the address of the called function, so I tried to modify it but the aslr is on, so nothing happened (but segmentation faults). Then I tried to overwrite just the last byte since it seems to be static (0x89 for normal, and 0x9c for authenticated) but the string terminator did its job by placing a 0x0 in the second byte so the address was useless again. I figured out that there is a format string vulnerability in the first print (the name one) but it doesn't seem like what I can print is going to be very helpful... So can you give me a hint? What am I missing? After discovering the format string vulnerability I thought I could leak some address from which I could take the current base for the program, or something like that, but I can't do that...

BitFriends on 2020-04-23 09:46: And why cant you do that?

BitFriends on 2020-04-23 10:02: @l0ma thank you for your solution. That is a way to solve it, but you should exploit it via format string and heap overflow. I am waiting for another solution, which does that. The difficulty of this challenge should be aslr, but you did not mention that in your solution. And I forgot to say, that it is not intended to solve the challenge with a debugger or something. You should only use it to calculate offsets. You can easily set $rip= in gdb to gain code redirection, but that would be too easy. But anyways, thank you for your solution.

Heinzeen on 2020-04-25 12:29: ========Spoiler====== After a few days I discovered (by trying to solve this with a friend of mine, who has arch os, while I'm on ubuntu) that he can see an instruction's address in the stack with the format string vuln. I am not able to do that in ubuntu, everything I can print with that vulnerability is junk or stack addresses, not instructions' addresses... With that address it is now easy to calculate an offset and give the program a password with which to overwrite the function pointer. Now the question is, which mode is this challenge supposed to be run with?

tim0tei on 2020-04-25 17:42: @Heinzeen What exactly you found on the stack? How do the first 20 values look like?

BitFriends on 2020-04-25 18:41: @Heinzeen Maybe you dumped values from the wrong address? Notice that aslr is on. Also notice, that gdb turns off aslr, and activates it on runtime. Try searching for the right addresses

SquishyPandaDev on 2020-05-21 13:33: Sry, new to this and I'm supper confused. Is the goal to get the "Nice Job!!" message because if so, it seems kind of easy for a level 3.

SquishyPandaDev on 2020-05-21 13:35: Wrong hash my bad sry

BitFriends on 2020-06-08 18:56: Still waiting for a correct solution guys!

unc4nny on 2021-01-12 17:38: Solving this with GDB is fairly straightforward, since in debugging mode the address for the 'authenticated' function will always be the same. But I have absolutely no idea how to do it without it. Any tips?

unc4nny on 2021-01-12 17:49: Sorry, let me rephrase that, I'm sleepy. I think I've successfuly found the address of main using the string vuln, and I think I should use this to add the offset of 'authenticated' to this address so i can redirect code to this procedure, but I'm clueless as to how do I do it

unc4nny on 2021-01-12 18:03: Actually it seems to be puts address, not main

You must be logged in to submit a writeup

Solution by l0ma on 2020-04-10 08:29:
Hopefully a correct and easy to read solution

Download

Solution by bottonim on 2020-06-28 17:39:
thanks

Download

Solution by cd80 on 2021-08-04 16:42:
This solution can also be viewed online in Markdown at: https://github.com/cd80-ctf/crackmes.one/tree/main/BitFriends-auth

Download

Solution by eveninglatte on 2024-03-28 19:24:
I had good fun with this one and learned a ton, thanks! The password to the archive is "crackmes.one"

Download