Comment on page

Binary Gauntlet 0

Problem

This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752

Solution

  1. 1.
    Decompile the binary using Ghidra.
    main function:
    undefined8 main(void)
    {
    char local_88 [108];
    __gid_t local_1c;
    FILE *local_18;
    char *local_10;
    local_10 = (char *)malloc(1000);
    local_18 = fopen("flag.txt","r");
    if (local_18 == (FILE *)0x0) {
    puts(
    "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server."
    );
    /* WARNING: Subroutine does not return */
    exit(0);
    }
    fgets(flag,0x40,local_18);
    signal(0xb,sigsegv_handler);
    local_1c = getegid();
    setresgid(local_1c,local_1c,local_1c);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    printf(local_10);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    strcpy(local_88,local_10);
    return 0;
    }
    sigsegv_handler function:
    void sigsegv_handler(void)
    {
    fprintf(stderr,"%s\n",flag);
    fflush(stderr);
    /* WARNING: Subroutine does not return */
    exit(1);
    }
  2. 2.
    As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the local_88 when local_10 is copied into in the strcpy function. We control local_10
  3. 3.
    So send one a for the first fgets and then send more than 108 as for the second fgets so those 108+ as get copied into a variable with a size of 108 and thus overflow and cause a crash.

Flag

9595dc79e46ae416c5383d858afbb624