# Binary Gauntlet 0

## Problem

> This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

* [gauntlet](https://github.com/HHousen/PicoCTF-2021/blob/master/Binary%20Exploitation/Binary%20Gauntlet%200/gauntlet/README.md)

## Solution

1. Decompile the binary using Ghidra.

   `main` function:

   ```
   undefined8 main(void)

   {
   char local_88 [108];
   __gid_t local_1c;
   FILE *local_18;
   char *local_10;

   local_10 = (char *)malloc(1000);
   local_18 = fopen("flag.txt","r");
   if (local_18 == (FILE *)0x0) {
       puts(
           "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
           );
                       /* WARNING: Subroutine does not return */
       exit(0);
   }
   fgets(flag,0x40,local_18);
   signal(0xb,sigsegv_handler);
   local_1c = getegid();
   setresgid(local_1c,local_1c,local_1c);
   fgets(local_10,1000,stdin);
   local_10[999] = '\0';
   printf(local_10);
   fflush(stdout);
   fgets(local_10,1000,stdin);
   local_10[999] = '\0';
   strcpy(local_88,local_10);
   return 0;
   }
   ```

   `sigsegv_handler` function:

   ```
   void sigsegv_handler(void)

   {
       fprintf(stderr,"%s\n",flag);
       fflush(stderr);
                           /* WARNING: Subroutine does not return */
       exit(1);
   }
   ```
2. As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the `local_88` when `local_10` is copied into in the `strcpy` function. We control `local_10`
3. So send one `a` for the first `fgets` and then send more than 108 `a`s for the second `fgets` so those 108+ `a`s get copied into a variable with a size of 108 and thus overflow and cause a crash.

### Flag

`9595dc79e46ae416c5383d858afbb624`