Binary Gauntlet 0

Problem
This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752
​gauntlet​
Solution
1.Decompile the binary using Ghidra.
main function:
undefined8 main(void)
​
{
char local_88 [108];
__gid_t local_1c;
FILE *local_18;
char *local_10;
​
local_10 = (char *)malloc(1000);
local_18 = fopen("flag.txt","r");
if (local_18 == (FILE *)0x0) {
    puts(
        "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
        );
                    /* WARNING: Subroutine does not return */
    exit(0);
}
fgets(flag,0x40,local_18);
signal(0xb,sigsegv_handler);
local_1c = getegid();
setresgid(local_1c,local_1c,local_1c);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
printf(local_10);
fflush(stdout);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
strcpy(local_88,local_10);
return 0;
}
sigsegv_handler function:
void sigsegv_handler(void)
​
{
    fprintf(stderr,"%s\n",flag);
    fflush(stderr);
                        /* WARNING: Subroutine does not return */
    exit(1);
}
2.As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10
3.So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.
Flag
9595dc79e46ae416c5383d858afbb624
Last modified 6mo ago