Oh no! Someone spilled their Starbucks Frappe :(
- Cyber Catamounts
- Sep 7, 2020
- 4 min read
Briefing
I was sitting in my first period Google Meets meeting when someone knocked over their Starbucks Frappe. How sad. However, the team thinks this was a signal to the other notorious C0Ff33L0verS hacker team members that are hiding in our school. We were able to obtain the username and program they use to login to their secret system, but we can’t figure out how to sign in!
Tip: Don’t try to guess the password.
Another tip: If you’re having trouble trying to run the binary or don’t have a linux terminal/VM, try using repl.it’s bash console. https://repl.it/languages/bash
Please Note: This is definitely a higher level challenge, so don’t fret if you don’t understand anything; we’re going to go through everything step by step later in the year. This is just an introduction to what this concept is like.
TL;DR enter more than 15 characters into the program to overflow the buffer. Or, you can use “strings” to print out all the strings in the program. OR, you can open the file in a text editor.
Before we begin, let’s learn how to run a binary!
If you have a VM or linux terminal all set up:
**Google if you’re having trouble!
After you download the file, navigate to the correct directory using:
“ls” - list the files that are there
“cd” - cd [directory name] to get into the directory
“cd ..” to go backwards
Now, your computer won’t let you run the binary, so we have to change permissions:
chmod +x [name of the file]
Lastly, to run it, we’re going to to do:
./[name of file]
If you’re going to use repl.it:
Drag your file into repl or add it using the +file button
“ls” to make sure the file is uploaded in your current directory
“chmod +x [name of the file]” to allow your computer to run it
./[name of file] to get it running!
Now, onto the “hacking” portion! (There are three ways to solve this problem)
GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)
ls
coffeeluverslogin main.sh
chmod +x coffeeluverslogin
./coffeeluverslogin
<3 |Welcome to Starbucks!| <3
--------------------------------------------
[Your username is sT4rBu7ks<3]
Enter the password : When I run the program, it gives me some lovely text and lets me know that I need to enter a password.
Here is the concept of “buffer overflow:” explained with coffee.
What’s a buffer?
In a C program, the programmer allots an amount of space for the user’s input, a buffer!
Let’s say the buffer holds 20 bytes
A Starbucks “Venti” coffee holds 20 oz.
Buffer overflow!
If a user inputs more than 20 bytes, it will overflow
Similarly, if you fill a Venti cup with more than 20 oz., it will overfill as well.
Why don’t we try spilling the coffee?
./coffeeluverslogin
<3 |Welcome to Starbucks!| <3
--------------------------------------------
[Your username is sT4rBu7ks<3]
Enter the password :
1234567890123456
Wrong Password
Success! You have now signed in as sT4rBu7ks<3
Flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e I entered 16 bytes, but more would have worked as well.
(If you add more than 20 oz. to a Venti, it’s always going to overflow!)
So, what happened in the program?
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
printf("\n <3 |Welcome to Starbucks!| <3\n");
printf("\n -------------------------------------------- \n");
printf("\n [Your username is sT4rBu7ks<3] \n");
printf("\n Enter the password : \n");
gets(buff);
if(strcmp(buff, "ilovemystarbuckssomuch123"))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Success! You have now signed in as sT4rBu7ks<3 \n");
printf ("\n Flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e \n");
}
return 0;
}This is the source code of our challenge. Pay attention to the bolded and underlined portion! We allotted 15 bytes to the buffer, so 16 bytes would cause the coffee to overflow.
The “gets” function is what makes this vulnerable, but we’ll cover that later.
Steps:
We enter 16 bytes (or more) into the program
However, there are only 15 bytes allocated for the input, so the coffee spills and the pass variable is overwritten
Now, pass does not equal 0 anymore, so it passes the check
if(pass) checks if there is a value in pass. If there is, it equals “true”
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Success! You have now signed in as sT4rBu7ks<3 \n");
printf ("\n Flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e \n");
}
return 0;Success! We get the flag.
Flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e
Second way to do it
This is a much simpler way to do it, but it won’t always work! You also need a terminal/VM for this, not repl.it
In your VM, navigate to the file’s directory and enter this command:
“strings [name of your file]”
We get a looooooooong output, so I’ve removed the last part of it.
strings coffeeluverslogin
/lib64/ld-linux-x86-64.so.2
libc.so.6
gets
puts
__cxa_finalize
strcmp
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u3UH
[]A\A]A^A_
<3 |Welcome to Starbucks!| <3
--------------------------------------------
[Your username is sT4rBu7ks<3]
Enter the password :
ilovemystarbuckssomuch123
Wrong Password
Correct Password
Success! You have now signed in as sT4rBu7ks<3
Flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e
;*3$"
GCC: (GNU) 8.2.1 20180831
GCC: (GNU) 8.2.1 20181127
init.c
crtstuff.c
[...]
As you can see, it leaks some nice information for us.
We have the password: ilovemystarbuckssomuch123
And, most importantly, the flag: $MAsh_keYB0ARD_70_SPi1l_cOff3e
Third way to do it:
(Typically, this way will not solve binary challenges. However, we wanted to let everyone have a chance at solving it without smashing your keyboard or knowing Linux.)
YOU JUST HAVE TO OPEN THE BINARY IN A TEXT EDITOR! Yes, that's the solution. The text editor will show you the printable characters, which includes in the flag.
You made it to the end! Congrats! (Don't worry if you don't understand it, buffer overflows are pretty complicated)
Comments