# NO CTF NO LIFE

## Boston Key Party CTF 2015 275 Harvard Square

This problem is worth 275 pts, but I think it is easier than other red problems. XD
We can reverse it happily beacuse the programe wasn't stipped.

The problem is a game about transcation of 0days.
We can enter the password and cheat the game, but it's useless. XD
The game print the message:

Welcome to 0day Warz - The goal of the game is to get the $100M USD by the end of the game. You have been given a loan of$2000, with some high interest rate of 25% a day!

The programe for the goal of game:

However, if understanding the game rule, we can know the condition is impossible to reach.
So we must find another vulunerbility.
In fact, there is a bof when play_game() starting.
It cannot overflow to return address, but we can use it to change function pointers. :D

The programe use simple-gc.
(https://github.com/dhamidi/simple-gc/)
It's create two garbage-collectors and put function pointer exploit_free and string_free to gc.
Then, gc will trigger when we do sleep action.
We can overwrite function ptr to action_hiscore, and we can overwrite the return address.

Now, we can write the exploit.
Honestly, I am not familar with x64 architecture exploit....
I waste a lot of time to debug my code. :(

By the way, args on x64 is in register.

So we must find some gadget to control arguments at first.
Then, we can use put() to leak arbitrary address.
There exist a little bug.... stdout dupped to socket.
We won't receive the content immediately.
To solve this bug, I return to action_hiscore() again because it has fflush() at the end of function.

After leak the address, we can calulate the address of system().
Next, We need a string of "/bin/sh".
Luckily, we can find it in libc, too. XD
So we can call system("/bin/sh") to get the shell.

My partitial exploit:

flag: stay_in_school_and_dont_do_the_grugq`