How to prevent strings to read CTF flags in C

Question

I am creating a simple CTF in buffer overflow below is the sample code:

#include <stdio.h>

void secretFunction()
{
    printf("this is your flag!\n");
}

void echo()
{
    char buffer[20];

    printf("Enter some text:\n");
    printf("%s", buffer);
    printf("You entered: %s\n", buffer);    
}

int main()
{
    echo();

    return 0;
}

Compile: gcc vuln.c -o vuln -fno-stack-protector -m32

But if we do strings vuln its displays the actual flag directly is there any way where my secretFunction is not visible when users to strings on the binary.

If you are trying to hide the string, you could try to use ascii codes and putchar. So the first word `this` would be `putchar(116); putchar(104); putchar(105); putchar(115);`. — Deanie, Feb 08 '19 at 19:17
How deep do you want to hide your secret? Obviously you can't hide it completely within the single file. So you can only obfuscate it to be hard to read using common tools. — Eugene Sh., Feb 08 '19 at 19:17
@Erlkoenig *You'd have to encrypt/scramble the text somehow.* And even then, anyone you give your application to has a working copy that runs on their computer - if they want to, they **will** figure it out. — Andrew Henle, Feb 08 '19 at 19:26
@AndrewHenle of course, that is the point of this exercise ("CTF"). — Erlkoenig, Feb 09 '19 at 15:57
You'd probably have to host this on some server, where the client logs in under some uid, and runs a binary with the suid/sgid bit on in order to read out a certain flag. An example of this exists in [pwncollege's dojo repo](https://github.com/pwncollege/dojo), for example. — alex, May 15 '22 at 17:53

b3a1e · Answer 1 · 2022-05-10T12:38:29.870

In my opinion, encrypting the string with xor should be the easiest way to avoid leaking strings.

#include <stdio.h>

void secretFunction()
{
    //printf("this is your flag!\n");
    unsigned char str[] = {184, 164, 165, 191, 236, 165, 191, 236, 181, 163, 185, 190, 236, 170, 160, 173, 171, 237, 198, 0};
    for (int i = 0; i < 19; i++)
        putchar(str[i] ^ 0xcc);
}

void echo()
{
    char buffer[20];

    printf("Enter some text:\n");
    scanf("%s", buffer);
    printf("You entered: %s\n", buffer);
}

int main()
{
    echo();

    return 0;
}

hijack the control flow:

$ ./exp.py
[+] Starting local process './vuln' argv=[b'./vuln'] : pid 4658
[DEBUG] Received 0x11 bytes:
    b'Enter some text:\n'
[DEBUG] Sent 0x25 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  f6 91 04 08  0a                                     │····│·│
    00000025
[*] Switching to interactive mode
[DEBUG] Received 0x45 bytes:
    00000000  59 6f 75 20  65 6e 74 65  72 65 64 3a  20 41 41 41  │You │ente│red:│ AAA│
    00000010  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    00000020  41 41 41 41  41 41 41 41  41 41 41 41  41 f6 91 04  │AAAA│AAAA│AAAA│A···│
    00000030  08 0a 74 68  69 73 20 69  73 20 79 6f  75 72 20 66  │··th│is i│s yo│ur f│
    00000040  6c 61 67 21  0a                                     │lag!│·│
    00000045
You entered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xf6\x9
this is your flag!

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). — Community, May 10 '22 at 07:16
It would probably be very easy to reverse engineer this binary and just obtain the flag that way, no? — alex, May 15 '22 at 17:51
@alex yes. But he wants to prevent leakage from `strings`, xor is the easiest way to me. — b3a1e, May 16 '22 at 02:42

score 0 · Answer 2 · answered Oct 06 '19 at 08:59

0

Generally, the solution is to distribute a binary which runs on a remote server, and replaces the actual key with a placeholder on the CTF-competitor's copy.

An easy way to do this is with environment variables, because the CTF

answered Oct 06 '19 at 08:59

Zach Riggle

2,975
19
26

How to prevent strings to read CTF flags in C

2 Answers2