jeffli6789 on 12:11 AM 04/07/2020: nice one! Need to exploit the vulnerability to solve it.
l0ma on 2:49 PM 04/09/2020: Attention spoiler!
Hi guys, as far as I have understand we have to use a buffer overflow in order to crack it. I'm new at this, could you give me a hint on how to use this exploit? thx
BitFriends on 5:50 PM 04/09/2020: It is not exactly a buffer overflow
tim0tei on 7:07 AM 04/13/2020: At first glance I thought to buffer overflow and redirect the the message-call. Unfortunately the 00-termination of strings made me fail with this attempt. Trying to exploit via a format string does not give me a clue where to attack. Any hints?
BitFriends on 5:52 PM 04/13/2020: There is another vulnerability (which is the main vulnerability), but the format string vulnerability is also important.
tim0tei on 6:27 PM 04/15/2020: Indeed I needed more than one exploitation for this. Nice challenge.
ano12 on 11:03 AM 04/20/2020: There are just two vulns,
ano12 on 11:04 AM 04/20/2020: It's easy
ano12 on 11:06 AM 04/20/2020: I will post a writeup.
Heinzeen on 9:33 AM 04/22/2020: =========Spoiler========
I am new to proper binary exploitation, and I can't figure out how to continue this challenge.
I've seen that by inserting 104 random chars in the password I can overwrite the address of the called function, so I tried to modify it but the aslr is on, so nothing happened (but segmentation faults). Then I tried to overwrite just the last byte since it seems to be static (0x89 for normal, and 0x9c for authenticated) but the string terminator did its job by placing a 0x0 in the second byte so the address was useless again.
I figured out that there is a format string vulnerability in the first print (the name one) but it doesn't seem like what I can print is going to be very helpful... So can you give me a hint? What am I missing? After discovering the format string vulnerability I thought I could leak some address from which I could take the current base for the program, or something like that, but I can't do that...
BitFriends on 9:46 AM 04/23/2020: And why cant you do that?
BitFriends on 10:02 AM 04/23/2020: @l0ma thank you for your solution. That is a way to solve it, but you should exploit it via format string and heap overflow. I am waiting for another solution, which does that. The difficulty of this challenge should be aslr, but you did not mention that in your solution. And I forgot to say, that it is not intended to solve the challenge with a debugger or something. You should only use it to calculate offsets. You can easily set $rip= in gdb to gain code redirection, but that would be too easy. But anyways, thank you for your solution.
Heinzeen on 12:29 PM 04/25/2020: ========Spoiler======
After a few days I discovered (by trying to solve this with a friend of mine, who has arch os, while I'm on ubuntu) that he can see an instruction's address in the stack with the format string vuln. I am not able to do that in ubuntu, everything I can print with that vulnerability is junk or stack addresses, not instructions' addresses... With that address it is now easy to calculate an offset and give the program a password with which to overwrite the function pointer. Now the question is, which mode is this challenge supposed to be run with?
tim0tei on 5:42 PM 04/25/2020: @Heinzeen What exactly you found on the stack? How do the first 20 values look like?
BitFriends on 6:41 PM 04/25/2020: @Heinzeen Maybe you dumped values from the wrong address? Notice that aslr is on. Also notice, that gdb turns off aslr, and activates it on runtime. Try searching for the right addresses
SquishyPandaDev on 1:33 PM 05/21/2020: Sry, new to this and I'm supper confused. Is the goal to get the "Nice Job!!" message because if so, it seems kind of easy for a level 3.
SquishyPandaDev on 1:35 PM 05/21/2020: Wrong hash my bad sry
BitFriends on 6:56 PM 06/08/2020: Still waiting for a correct solution guys!
unc4nny on 5:38 PM 01/12/2021: Solving this with GDB is fairly straightforward, since in debugging mode the address for the 'authenticated' function will always be the same. But I have absolutely no idea how to do it without it. Any tips?
unc4nny on 5:49 PM 01/12/2021: Sorry, let me rephrase that, I'm sleepy. I think I've successfuly found the address of main using the string vuln, and I think I should use this to add the offset of 'authenticated' to this address so i can redirect code to this procedure, but I'm clueless as to how do I do it
unc4nny on 6:03 PM 01/12/2021: Actually it seems to be puts address, not main