Pancakes — H@cktivityCon CTF Challenge
Pancakes, the easiest of the binary exploitation challenges, was a fun little binary for some quick points during H@cktivityCon by HackerOne. I appreciated the simplicity of the challenge and it ended up being one of my favorite of the event.
“Pancakes” was an ELF binary that produced a lovely little stack of ascii-pancakes after asking how many you want. Once you entered a value, the application would run and produce the output shown in the image below.
Each challenge came with a binary so step one was to see what was going on under the hood. Using Ghidra, you can see that the application was “gets-ing” input from the user and placing it in a 128 byte char array. After getting the input, the application calls “atoi” on the value and then never uses it again. Regardless of how the value is used, the input process becomes the source for the buffer overflow due to the lack of validation before writing to the buffer. Within Ghidra, and confirmed in EDB, you can see an unused function “secret_recipe” at memory location “0x0040098b.” This function reads “flag.txt” from file and outputs the contents to the screen.
We can see that the exploitation is going to have to overflow the character array and overwrite the return address with the address of the secret_recipe function. To do this, “msf-pattern_create” can be used to generate a unique sequence of characters and “msf-pattern_offset” can be used to query where a specific sequence is located in the original pattern. Running the application in EDB shows a segmentation fault when trying to return to an odd address that appears to be caused from our 200 character input string from msf-pattern_create. A quick lookup of the address shows that it was at an offset of 152.
Now that we have the offset, we can test it and attempt to read from a local file called “flag.txt” by using the secret function in the binary. Using python, 152 characters are generated and followed by the 64-bit address of the secret_recipe function in little-endian format. This string is then piped into the binary.
python -c "print 'A' * 152+ '\x8b\x09\x40\x00\x00\x00\x00\x00'" | ./pancakesSuccess! The contents of the file are printed below the stack of pancakes just before the application crashes. This means that we successfully overwrote the return address with the address of the secret_recipe function by overflowing the char array. Quick change to the command pipes the payload to a Netcat connection to the challenge box and we get the flag!
python -c "print 'A' * 152+ '\x8b\x09\x40\x00\x00\x00\x00\x00'" | nc jh2i.com 50021Thanks to HackerOne, and all those involved, for putting on a great event!