Balsn CTF 2022 Writeup
I played balsnCTF last week and solve several challenge, in this post I will only cover Pwn and smartcontract challenge
List Challenge:
- Flag Market 1
- Cairo Reverse
PWN
SmartContract
Flag Market 1
Do you love flags? Try to buy some! nc flag-market-us.balsnctf.com 19091 or nc flag-market-sin.balsnctf.com 19091 or nc flag-market-uk.balsnctf.com 19091 Note: Distributed file is in challenge Flag Market 1 https://balsnctf-challenges-2022.s3.amazonaws.com/flag_market_1/234b79b0adee52c9402019214038dce9.zip
Identify The Vulnerability
We were given several files, from docker file to source code and a Makefile
first I started check the flag_market.c
which I found a buffer overflow vulnerability on connection_handler
the sscanf()
can trigger buffer overflow since the buffer size of request
is larger than method
and path
buffer, and there’s no check or limitation so all the data from request
will copied to method
and path
buffer
in this situation we can overflow the buffer and overwrite the host
and port
which can lead to ssrf vulnerability.
next, I found that our goal is to access webservice on port 31337
which allow us to read our flag
Setup debugging environment
in order to debug the binary, I edit a few things on docker-compose-chal.yml
next, run deploy.sh
to install and deploy the challenge on local machine.
after deploy.sh
executed we should have a service running on the port 13337
now, we need to install gdb on the docker container by running these command
so we can debug the binary on the docker it self by attaching the PID process using gdb
now we can set breakpoint b* route+1152
so we can determine the offset to overwrite the port and host
after setting up the breakpoint, we can use pattern create
from gdb-gef to determine how long exactly to overwrite the port
buffer and allow us to perform ssrf via buffer overflow
as you can see from the screenshot above, we can overwrite the port
buffer using 768 byte padding
and overwrite it with 31337
so we can access internal website. here is my exploit to perform ssrf via buffer overflow
Cairo Reverse
Simple cairo reverse starknet-compile 0.9.1 https://balsnctf-challenges-2022.s3.amazonaws.com/cairo-reverse/1912abefd6b99c40e35a2bdaaa6f7fb2.zip Author: ysc
Analysis the smartcontract file
after analysis I found that we have to reveal the censored value from contract.cairo file
I use thoth to decompile the compiled json file, Thoth (pronounced “toss”) is a Cairo/Starknet analyzer, disassembler & decompiler written in Python 3. Thoth’s features also include the generation of the call graph and control-flow graph (CFG) of a given Cairo/Starknet compilation artifact. you can install thoth by running these command
after analysis the cairo bytecode and reading the get_flag()
function, I found the secret value
now we can replicate the smartcontract source code using python to get the flag