Binary Gauntlet 0

Problem

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

gauntlet

Solution

Decompile the binary using Ghidra.

main function:

undefined8 main(void)

{
char local_88 [108];
__gid_t local_1c;
FILE *local_18;
char *local_10;

local_10 = (char *)malloc(1000);
local_18 = fopen("flag.txt","r");
if (local_18 == (FILE *)0x0) {
    puts(
        "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
        );
                    /* WARNING: Subroutine does not return */
    exit(0);
}
fgets(flag,0x40,local_18);
signal(0xb,sigsegv_handler);
local_1c = getegid();
setresgid(local_1c,local_1c,local_1c);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
printf(local_10);
fflush(stdout);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
strcpy(local_88,local_10);
return 0;
}

sigsegv_handler function:

void sigsegv_handler(void)

{
    fprintf(stderr,"%s\n",flag);
    fflush(stderr);
                        /* WARNING: Subroutine does not return */
    exit(1);
}

As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10
So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.

Flag

9595dc79e46ae416c5383d858afbb624

PreviousREADME NextBinary Gauntlet 1

Last updated 2 years ago

Was this helpful?

Binary Gauntlet 0

Problem

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

gauntlet

Solution

Decompile the binary using Ghidra.

main function:

undefined8 main(void)

{
char local_88 [108];
__gid_t local_1c;
FILE *local_18;
char *local_10;

local_10 = (char *)malloc(1000);
local_18 = fopen("flag.txt","r");
if (local_18 == (FILE *)0x0) {
    puts(
        "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
        );
                    /* WARNING: Subroutine does not return */
    exit(0);
}
fgets(flag,0x40,local_18);
signal(0xb,sigsegv_handler);
local_1c = getegid();
setresgid(local_1c,local_1c,local_1c);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
printf(local_10);
fflush(stdout);
fgets(local_10,1000,stdin);
local_10[999] = '\0';
strcpy(local_88,local_10);
return 0;
}

sigsegv_handler function:

void sigsegv_handler(void)

{
    fprintf(stderr,"%s\n",flag);
    fflush(stderr);
                        /* WARNING: Subroutine does not return */
    exit(1);
}

As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10
So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.

Flag

9595dc79e46ae416c5383d858afbb624

PreviousREADME NextBinary Gauntlet 1

Last updated 2 years ago

Was this helpful?