HTB Business CTF — Deck of vuln
Challenge
We were given a ELF 64bit executable. Our challenge was to exploit to get a shell
Category : Reverse Engineering
Difficulty : Medium
Reverse Engineering
I started by decompiling the program in Ghidra to see whats its doing. The main function had infinite do-while which shows the menu and switch statement which does things according to out choice.
The line that piqued my interest was the initialise deque. I didnt see anything exploitable on this stage.
We we given 6 choices or actions. I didn't see anything weird in those function too.
So I started GDB and dynamically analysing the executable.
After some manual fuzzing I found something interesting.
BUG
If u add 2 vulnerabilities to patch list. Flip for time priority then add more vulnerabilities the pointer to the heap are added to first chunk we allocated with the first vulnerability. Then we can abuse the edit vulnerability option to overwrite the pointer. Again repeating the same Flipping and writing to write to any arbitrary location
Exploitation
After Finding this my plan was to overwrite the free hook with the lib system library so when try to free a heap chunk with the string ‘/bin/sh’ I could get the shell. For this I started by
Leaking Libc
To leak libc and heap address I followed the pattern of adding 2 vulnerability to the patch list of minimum size , flipped the time priority, then patching the first vulnerability. Followed by adding a new vulnerability of larger size. which can create a unsorted free chunk with fd and bk pointer.
Then when we try to allocate a new chunk of minimum size. We are able to leak the fd or bk pointer which is address in libc
Finding Offsets
I calculated the offsets to Libc base which was -0x1bf000 . Then the offset between libc base and free hook and the system which were 0x1c1b60 and 0x49bc0 respectively.
Putting it all together
The final step was to script everything to get a shell
Script : https://github.com/team0001-ctf/ctf-writups/blob/master/htb_business/pwn/deck_of_vulns/exploit.py