After a long period of time without playing any CTF, I finally finished my master's degree and have time to enjoy some CTF challenges. And then there is the Tokyo Western/MMA 2nd CTF, the first CTF I played in 2016.
The challenge gave us a 32 bit ELF. The program will first use system to echo some message, then it will ask us to input our name, and print the greeting message. We can see that there exist a format string vulnerability in the main function:
As we can see that the program ends directly after it print out the greeting message, so it's kind of hard for us to do the GOT hijacking attack. After discussing with my teammate, we found that there's one more place we can overwrite the function pointer: the .fini_array section.
So, we can first overwrite the first entry of the .fini_array section and hijack the control flow. Notice that we can only input 64 bytes characters, and that's kind of hard for us to write both system's address and sh's string into the memory buffer. Here's what we can do :
Overwrite both .fini_array section and strlen's GOT entry. We replace the first entry of the .fini_array section into main function's address, while strlen's GOT entry be changed into system's PLT.
The program will then return to the main function. Since strlen's GOT has already been changed into system's address, we can then input sh and execute system("sh") during the getnline function (the function will call strlen on our input).