Posts 2020 Metasploit Community CTF - 9 of Clubs (port 1337) [Pwn]

2020 Metasploit Community CTF - 9 of Clubs (port 1337) [Pwn]

Port 1337 hosts a TCP service that prompts the user to choose one of several options, and later takes some text input. After trying several techniques, we discovered that it had a format string vulnerability

When sending a random string over the second option (2. Greetings), the server replies with Hello _{string}_!!!, {string} being our input. This option was the only that reflected the user’s input.

To further understand this vulnerability we set up the following scenario locally. The C program below allocates the flag “Scavenger{CTF_MSF}” on the stack.

Since the printf(str) call is not properly sanitized, it is vulnerable to the format string vulnerability mentioned above.

In this bash loop we generate a new input for each iteration in the format of %i$s, where i is the loop counter. This use of the dollar sign is a C language extension introduced by the POSIX standard. What this effectively does is to print the i-th argument for printf with the specified format (%s in this case). For example, in the following snippet, the output would be c, as it is the third parameter:

printf("%3$c", 'a', 'b', 'c');

In our case, we are exploiting the format string vulnerability to print the i-th pointer on the stack as a null-terminted string. The proper way to sanitize it in this case should be as shown below.

Trying this same methodology on the challenge itself, we can find the flag by either using the dollar sign extension to skip positions, or manually writing the full format string to reach the element we are interested in.

This post is licensed under CC BY 4.0 by the author.