ch's cybersec

GDB baby step 3

Jun 01, 2024

Challenge Link

We should find flag in memory. Let’s try

wget https://artifacts.picoctf.net/c/531/debugger0_c
chmod +x debugger0_c

I use this script for gdb.

I will use gdb-pwndbg

pwndbg> file debugger0_c
Reading symbols from debugger0_c...
(No debugging symbols found in debugger0_c)
pwndbg> disass main
Dump of assembler code for function main:
   0x0000000000401106 <+0>:     endbr64
   0x000000000040110a <+4>:     push   rbp
   0x000000000040110b <+5>:     mov    rbp,rsp
   0x000000000040110e <+8>:     mov    DWORD PTR [rbp-0x14],edi
   0x0000000000401111 <+11>:    mov    QWORD PTR [rbp-0x20],rsi
   0x0000000000401115 <+15>:    mov    DWORD PTR [rbp-0x4],0x2262c96b
   0x000000000040111c <+22>:    mov    eax,DWORD PTR [rbp-0x4]
   0x000000000040111f <+25>:    pop    rbp
   0x0000000000401120 <+26>:    ret
End of assembler dump.

Looking at assembly code i can already say that EAX will have rbp-4 value

Let’s break at *main+15 and *main+22 and see

pwndbg> break *main+22
Breakpoint 1 at 0x40111c
pwndbg> break *main+15
Breakpoint 2 at 0x401115
pwndbg> run
Starting program: /home/ch/ctf/debugger0_c
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
 
Breakpoint 2, 0x0000000000401115 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────
*RAX  0x401106 (main) ◂— endbr64
*RBX  0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
*RCX  0x7ffff7fa5680 —▸ 0x7ffff7fa6fc0 ◂— 0
*RDX  0x7fffffffe638 —▸ 0x7fffffffe8bb ◂— 'PWD=/home/ch/ctf'
*RDI  1
*RSI  0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
*R8   0x4011a0 (__libc_csu_fini) ◂— endbr64
*R9   0x7ffff7fcdf40 ◂— endbr64
*R10  0x7fffffffe230 ◂— 0x800000
*R11  0x203
*R12  1
 R13  0
*R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0
*RBP  0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
*RSP  0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
*RIP  0x401115 (main+15) ◂— mov dword ptr [rbp - 4], 0x2262c96b
─────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────
 ► 0x401115       <main+15>    mov    dword ptr [rbp - 4], 0x2262c96b     [0x7fffffffe4fc] => 0x2262c96b
   0x40111c       <main+22>    mov    eax, dword ptr [rbp - 4]            EAX, [0x7fffffffe4fc] => 0x2262c96b
   0x40111f       <main+25>    pop    rbp                                 RBP => 0x7fffffffe5a0
   0x401120       <main+26>    ret                                <0x7ffff7de8c88>

   0x7ffff7de8c88              mov    edi, eax                            EDI => 0x2262c96b
   0x7ffff7de8c8a              call   exit                        <exit>
 
   0x7ffff7de8c8f              call   0x7ffff7e52a60              <0x7ffff7e52a60>
 
   0x7ffff7de8c94              lock sub dword ptr [rip + 0x1bc434], 1
   0x7ffff7de8c9c              je     0x7ffff7de8cb0              <0x7ffff7de8cb0>
 
   0x7ffff7de8c9e              mov    edx, 0x3c                 EDX => 0x3c
   0x7ffff7de8ca3              nop    dword ptr [rax + rax]
──────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────
00:0000│ rbp rsp 0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
01:0008│+008     0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
02:0010│+010     0x7fffffffe510 —▸ 0x7fffffffe550 —▸ 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
03:0018│+018     0x7fffffffe518 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
04:0020│+020     0x7fffffffe520 ◂— 0x100400040 /* '@' */
05:0028│+028     0x7fffffffe528 —▸ 0x401106 (main) ◂— endbr64
06:0030│+030     0x7fffffffe530 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
07:0038│+038     0x7fffffffe538 ◂— 0x8e4b7e662334f6
────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────
 ► 0         0x401115 main+15
   1   0x7ffff7de8c88
   2   0x7ffff7de8d4c __libc_start_main+140
   3         0x40104e _start+46
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

So now we don’t have anything interesting inside EAX:

pwndbg> x/4xb $rbp-4
0x7fffffffe4fc: 0xff    0x7f    0x00    0x00
pwndbg> continue
Continuing.
 
Breakpoint 1, 0x000000000040111c in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────
 RAX  0x401106 (main) ◂— endbr64
 RBX  0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
 RCX  0x7ffff7fa5680 —▸ 0x7ffff7fa6fc0 ◂— 0
 RDX  0x7fffffffe638 —▸ 0x7fffffffe8bb ◂— 'PWD=/home/ch/ctf'
 RDI  1
 RSI  0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
 R8   0x4011a0 (__libc_csu_fini) ◂— endbr64
 R9   0x7ffff7fcdf40 ◂— endbr64
 R10  0x7fffffffe230 ◂— 0x800000
 R11  0x203
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0
 RBP  0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
 RSP  0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
*RIP  0x40111c (main+22) ◂— mov eax, dword ptr [rbp - 4]
─────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────
   0x401115       <main+15>    mov    dword ptr [rbp - 4], 0x2262c96b     [0x7fffffffe4fc] => 0x2262c96b
 ► 0x40111c       <main+22>    mov    eax, dword ptr [rbp - 4]            EAX, [0x7fffffffe4fc] => 0x2262c96b
   0x40111f       <main+25>    pop    rbp                                 RBP => 0x7fffffffe5a0
   0x401120       <main+26>    ret                                <0x7ffff7de8c88>

   0x7ffff7de8c88              mov    edi, eax                            EDI => 0x2262c96b
   0x7ffff7de8c8a              call   exit                        <exit>
 
   0x7ffff7de8c8f              call   0x7ffff7e52a60              <0x7ffff7e52a60>
 
   0x7ffff7de8c94              lock sub dword ptr [rip + 0x1bc434], 1
   0x7ffff7de8c9c              je     0x7ffff7de8cb0              <0x7ffff7de8cb0>
 
   0x7ffff7de8c9e              mov    edx, 0x3c                 EDX => 0x3c
   0x7ffff7de8ca3              nop    dword ptr [rax + rax]
──────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────
00:0000│ rbp rsp 0x7fffffffe500 —▸ 0x7fffffffe5a0 —▸ 0x7fffffffe600 ◂— 0
01:0008│+008     0x7fffffffe508 —▸ 0x7ffff7de8c88 ◂— mov edi, eax
02:0010│+010     0x7fffffffe510 —▸ 0x7fffffffe550 —▸ 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
03:0018│+018     0x7fffffffe518 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
04:0020│+020     0x7fffffffe520 ◂— 0x100400040 /* '@' */
05:0028│+028     0x7fffffffe528 —▸ 0x401106 (main) ◂— endbr64
06:0030│+030     0x7fffffffe530 —▸ 0x7fffffffe628 —▸ 0x7fffffffe8a2 ◂— '/home/ch/ctf/debugger0_c'
07:0038│+038     0x7fffffffe538 ◂— 0x8e4b7e662334f6
────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────
 ► 0         0x40111c main+22
   1   0x7ffff7de8c88
   2   0x7ffff7de8d4c __libc_start_main+140
   3         0x40104e _start+46
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/4xb $rbp-4
0x7fffffffe4fc: 0x6b    0xc9    0x62    0x22
pwndbg>

So the flag is picoCTF{0x6bc96222}

Graph View

Backlinks

  • No backlinks found