I solved this challenge with my teammate @javierprtd.

Category: Exploiting.
Points: 150.
Binary: time_is.

By executing the binary, we can see.

Well, format string vulnerability found

The binary read from stdin using __getlimit function, and the unique limiter is ‘\n’.

The __printf_chk function is used for printing in stdout and checking if the input has a string like: “%N$”, that means  I can’t use a direct access as the format string, but we have a memory leak in the format string vulnerability.

How exploit this binary? Buffer overflow stack based is the answer. The next steps need to be followed:

  • Exploit the format string vulnerability and leak any libc address and calculate the libc base.
  • Leak the canary.
  • Using the libc base, calculate system function and ‘/bin/sh’ string virtual address.
  • Make the system funcion argument, register rdi must contain the ‘/bin/sh’ virtual address.
  • Overwrite in the correct offset the original canary.
    Make the ROP.
  • Additionally, the remote service have a previous challenge (x change in each connection).
    • Opening connection to time-is.quals.2017.volgactf.ru on port 45678: Done
      Solve a puzzle: find an x such that 26 last bits of SHA1(x) are set, len(x)==29 and x[:24]== ed6f7c92ad91d92e79fc9258

For solving the challenge about SHA-1, I used the following snippet:

In my tests, the libc version is same as mine.

Now I’ll make the exploit, first get the libc base, system function and ‘/bin/sh’ virtual address.

Later, get the cookie.

For last, make the ROP.

Finally, launch the exploit.

The flag is: VolgaCTF{D0nt_u$e_printf_dont_use_C_dont_pr0gr@m}.

The full exploit can be found here.