PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Binary Exploitation

Binary Gauntlet 0

PreviousREADMENextBinary Gauntlet 1

Last updated 2 years ago

Was this helpful?

Problem

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

Solution

  1. Decompile the binary using Ghidra.

    main function:

    undefined8 main(void)
    
    {
    char local_88 [108];
    __gid_t local_1c;
    FILE *local_18;
    char *local_10;
    
    local_10 = (char *)malloc(1000);
    local_18 = fopen("flag.txt","r");
    if (local_18 == (FILE *)0x0) {
        puts(
            "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
            );
                        /* WARNING: Subroutine does not return */
        exit(0);
    }
    fgets(flag,0x40,local_18);
    signal(0xb,sigsegv_handler);
    local_1c = getegid();
    setresgid(local_1c,local_1c,local_1c);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    printf(local_10);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    strcpy(local_88,local_10);
    return 0;
    }

    sigsegv_handler function:

    void sigsegv_handler(void)
    
    {
        fprintf(stderr,"%s\n",flag);
        fflush(stderr);
                            /* WARNING: Subroutine does not return */
        exit(1);
    }
  2. As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10

  3. So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.

Flag

9595dc79e46ae416c5383d858afbb624

gauntlet