My first C program that says hello, do you want to try it?
Smash was a very cool challenge where you were given the libc
version used by the binary. You had to bypass ASLR and then execute a ret2libc attack.
As per usual, run a quick checksec
Luckily for us, PIE is disabled and there is no canary. That makes our job much easier. Let's run it and see what happens.
Hmm, our input is printed back to us again. Is there another format string bug?
Indeed there is! Is a BoF possible this time?
Awesome.
There's nothing particularly interesting in the decompilation - main
takes input and calls say_hello
, which prints back to you.
No interesting strings either. As we are given the libc
, everything points to a good old ret2libc attack.
As we only had one input, the logical approach would be to use a ret2plt to leak the address of puts in libc
from the global offset table and call main again to let us have another input.
Flag: csictf{5up32_m4210_5m45h_8202}