Problem

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

• gauntlet

Solution

1. Decompile the binary using Ghidra.

   main function:

   Copy

   undefined8 main(void)
   
   {
   char local_88 [108];
   __gid_t local_1c;
   FILE *local_18;
   char *local_10;
   
   local_10 = (char *)malloc(1000);
   local_18 = fopen("flag.txt","r");
   if (local_18 == (FILE *)0x0) {
       puts(
           "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
           );
                       /* WARNING: Subroutine does not return */
       exit(0);
   }
   fgets(flag,0x40,local_18);
   signal(0xb,sigsegv_handler);
   local_1c = getegid();
   setresgid(local_1c,local_1c,local_1c);
   fgets(local_10,1000,stdin);
   local_10[999] = '\0';
   printf(local_10);
   fflush(stdout);
   fgets(local_10,1000,stdin);
   local_10[999] = '\0';
   strcpy(local_88,local_10);
   return 0;
   }

   sigsegv_handler function:

   Copy

   void sigsegv_handler(void)
   
   {
       fprintf(stderr,"%s\n",flag);
       fflush(stderr);
                           /* WARNING: Subroutine does not return */
       exit(1);
   }

2. As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10

3. So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.

Flag

9595dc79e46ae416c5383d858afbb624