Name User After Free (1.0)
Added 2019-12-03
difficulty ★★★★☆ (3.7)
OS Windows 7
ASLR Yes
DEP (NX) Yes
GuardStack No
CFG No

The Challenge

UnnamedStartup have released a new chat platform to compete with Slack; unfortunately, they didn’t hire any security testers to audit it before release.

In the zip you will find 4 files:

  1. UserAfterFree.exe (A copy of the chat server).
  2. UserAfterFree.pdb (A symbols file to help with reversing and debugging, though you can delete it if you want to reverse on hard mode).
  3. ChatClient.py (An example chat client to interact with the chat server).
  4. CheckFlag.py (Check if the flag you found is valid with “python CheckFlag.py FLAG{TEST-FLAG}”).

Rules

  • You can reverse engineer the server binary to find vulnerabilities and develop exploits, but not extract the flags.
  • The do_not_reverse() function is used to set up the flags. You don’t need to reverse this to complete the challenge, and dumping the flags from it is cheating.
  • Assume that if this were a live CTF, the flags on the target server would be different to the ones hardcoded in UserAfterFree.exe
  • You are not allowed to modify the server binary in any way.
  • Your exploits should work remotely, even against a server running on a system you have no access to.
  • It’s ok to assume the OS of the target system.
  • It’s ok if the server crashes after you obtain a flag.

Need Help?

Our discord server has a help channel for reversing and exploitation challenges. Be sure to use the spoiler option when sharing any information about the challenges which may spoil it for others.
https://discord.gg/DwpqNrG

I’ll be doing a recorded livestream walkthrough of the challenge once people have had time to complete it. Follow my Twitter for live stream announcement (afterwards the video will be added to this page).

Flag 1:

returned using the GETFLAG command.

Flag 2:

The default admin’s username.

Flag 3:

Returned by calling the GetFlag2 function.

You Win:

Get remote code execution on the server.

Download Link:

https://malwaretech.com/downloads/challenges/UserAfterFree1.0.rar
password: MalwareTech

If you like my challenges and live streams, please consider supporting me on patreon!
https://www.patreon.com/join/MalwareTech