Binary Gauntlet 1
Problem
Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853
Solution
Decompile the binary using Ghidra:
main
function:undefined8 main(void) { char local_78 [104]; char *local_10; local_10 = (char *)malloc(1000); printf("%p\n",local_78); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\0'; printf(local_10); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\0'; strcpy(local_78,local_10); return 0; }
Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of
local_78
is printed at the beginning of the program.We can write some shellcode to
local_78
, pad out to the return address, and overwrite the return address with the address oflocal_78
that is printed at the beginning.Run the solution script and then run
cat flag.txt
to get the flag.
Flag
c6e16a1b4182c2801ed657d4c482af88
Last updated
Was this helpful?