Binary Gauntlet 1

Problem

Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853

Program

Solution

Decompile the binary using Ghidra:

main function:

undefined8 main(void)

{
    char local_78 [104];
    char *local_10;
    
    local_10 = (char *)malloc(1000);
    printf("%p\n",local_78);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    printf(local_10);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    strcpy(local_78,local_10);
    return 0;
}

Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of local_78 is printed at the beginning of the program.
We can write some shellcode to local_78, pad out to the return address, and overwrite the return address with the address of local_78 that is printed at the beginning.
Run the solution script and then run cat flag.txt to get the flag.

Flag

c6e16a1b4182c2801ed657d4c482af88

PreviousBinary Gauntlet 0 NextStonks

Last updated 2 years ago

Was this helpful?