Capture the Flag


Today the coffee chat bot paired me with Mauricio.  When we met, he was working on pwnable with Cory.  I have never heard of capture the flag games until I started RC. These are games where you have to exploit some security bug in order to ‘capture the flag’.

It was super cool.   We worked on problem 10.  When you click on problem 10 the only instruction you receive is to ssh into a server.

Once you ssh into the server and run ls, you can see a c file, an executable, the flag, and intended solution. You only have permission to view the c file and execute the executable.  The only thing you can do is enter the right argument to the file.

The idea is that when you solve the problem and run the c program  with the correct arguments, then a bash command or script will display the flag. For example in problem 1, when you solve the puzzle the following code is executed:

system(“/bin/cat flag”);

The problems are about system exploitation, but really they are about operating systems and systems architecture. The way to solve the puzzles is by understanding how the computer works,  by inspecting the address locations of various functions, by understanding the stack and the heap, and by inspecting the machine code that is generated.

Problem 1 was about file systems.  There is clue that I misinterpreted as translating something from hex into ascii.

My misinterpretation lead me to read up on files in linux. I read the man page for read and attempted to understand the file descriptor. How do file descriptors really work?? On Linux fd refers to a process in  /proc/PID/fd/. I attempted to look in this directory but had no access. ps -ef also does not work – I dont have access.    The file descriptor also is an index to a table maintained by the kernel which is in index to another table.  This may be the solution to my problem.  But I sort of thought not, since I probably dont have permissions to any of these tables.

Then I methodically started reading the documentation on all the function calls like atoi. SPOILER ALERT.  I discovered that my initial intuition was correct but a bit off the mark – I wont tell you why but it should be obvious. I quickly was able to exploit the bug and capture the flag! What a rush!

Mauricio suggested picoCTF.  I also found this pretty exhaustive list. I got to say, CTF is a real thrill.

Leave a Reply