2023 Business CTF: Hackback

#htb #ctf #pwn #medium #c2 #buffer-overflow #heap-exploitation

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryBinary Exploitation (PWN)
ChallengeHackback
DifficultyMedium

Summary

Hackback is a medium-level binary exploitation challenge involving the exploitation of an enemy’s Command and Control (C2) service. Through an informant, you’ve obtained the C2 service binary and its complete source code. The challenge requires identifying and exploiting vulnerabilities in the bot management protocol to achieve remote code execution and disrupt the C2 infrastructure.

Challenge Information

The challenge description states:

“A critical breakthrough has occurred in our ongoing battle on the cyber front. Through an invaluable informant, we have obtained exclusive access to the enemy’s Command and Control (C2) service, along with its complete source code. This unprecedented advantage demands immediate action to exploit weaknesses within their C2 infrastructure.”

Analysis

C2 Service Architecture

Based on the provided source code (main.c), the C2 service manages a collection of bots with the following structure:

typedef struct C2Bot {
    size_t domainLen;
    uint8_t* domain;
    uint16_t port;
    uint16_t nameLen;
    uint8_t* name;
} C2Bot;

The service supports up to 32 bots and implements four main operations:

  • 0xAA (ADDREDIRECTORBOTURL): Add/update bot C2 domain and port
  • 0xBB (ADDNEWBOT): Register a new bot
  • 0xCC (CHANGEBOTNAME): Modify an existing bot’s name
  • 0xDD (FETCHBOTNAME): Retrieve a bot’s name

Vulnerability Analysis

Vulnerability 1: Off-by-One in changeBotName

In the changeBotName function (lines 81-123):

memcpy(tmp_buf, buf->start, sizeof(uint8_t));
new_length = (uint16_t)(*tmp_buf);  // Line 103: Only reads 1 byte, not 2!

The code reads only 1 byte into a uint16_t, but advances by 2 bytes:

buf->start += sizeof(uint16_t);  // Line 105

This causes a reading/writing offset mismatch.

Vulnerability 2: Buffer Overflow in changeBotName

If the new_length exceeds the current nameLen:

if(new_length > c2Bot->nameLen) {
    // ... realloc to new_length
    c2Bot->name = malloc(new_length);
}


strncpy(c2Bot->name, buf->start, new_length);  // Line 120

The strncpy can overflow the allocated buffer if controlled properly.

Vulnerability 3: Heap Overflow in addRedirectorBotURL

In the addRedirectorBotURL function (lines 165-174):

c2Bot->domainLen = buf->end - buf->start;
memcpy(c2Bot->domain, buf->start, c2Bot->domainLen);

The domain parsing uses strstr to find “.io” but the memcpy uses calculated length. An attacker can craft input to write beyond allocated buffer.

Solution

Step 1: Connect to the C2 Service

Terminal window
nc <TARGET_IP> <TARGET_PORT>

Step 2: Exploit Heap Corruption

Craft a sequence of operations to trigger heap corruption:

  1. Add multiple bots to populate the heap
  2. Use changeBotName to cause an off-by-one read/write
  3. Overwrite adjacent heap structures

Step 3: Achieve Code Execution

By carefully overwriting heap metadata or function pointers:

  1. Corrupt a bot structure’s function pointer
  2. Trigger the corrupted operation to execute arbitrary code
  3. Establish a reverse shell

Example Payload Structure

The attack typically involves:

  1. Creating bots with specific name lengths
  2. Changing bot names with oversized lengths
  3. Overflowing into adjacent heap allocations
  4. Writing shellcode or ROP gadget addresses
# Pseudocode for exploitation
# 1. Add bot 0 with small name
# 2. Add bot 1 with specific allocation pattern
# 3. Change bot 0's name with large size to overflow into bot 1
# 4. Leverage heap overflow to control execution

Step 4: Extract the Flag

Once code execution is achieved:

Terminal window
cat /flag.txt
# or read from memory depending on challenge setup

Key Vulnerabilities Summary

VulnerabilityLocationTypeSeverity
Byte/Word MismatchchangeBotName line 103Logic ErrorHigh
Buffer OverflowchangeBotName strncpyHeap OverflowCritical
Domain ParsingaddRedirectorBotURL line 173Buffer OverflowHigh
No Bounds CheckingaddNewBot line 222Logic ErrorMedium

Key Takeaways

  • Consistent Type Handling: Ensure consistent size handling when reading multi-byte values
  • Bounds Validation: Always validate buffer sizes before memcpy/strncpy operations
  • String Parsing: Avoid unsafe string operations; use length-prefixed protocols
  • Heap Safety: Be aware of heap layout and adjacent allocations when exploiting overflows
  • Input Sanitization: Validate all user-supplied lengths and offsets
  • Code Review: The availability of source code greatly facilitates vulnerability discovery