search
githubEdit

Binary Gauntlet 1

hashtag
Problem

Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853

hashtag
Solution

  1. Decompile the binary using Ghidra:

    main function:

    undefined8 main(void)

{
    char local_78 [104];
    char *local_10;
    
    local_10 = (char *)malloc(1000);
    printf("%p\n",local_78);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    printf(local_10);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    strcpy(local_78,local_10);
    return 0;
}

  2. Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of local_78 is printed at the beginning of the program.

  3. We can write some shellcode to local_78, pad out to the return address, and overwrite the return address with the address of local_78 that is printed at the beginning.

  4. Run the solution scriptarrow-up-right and then run cat flag.txt to get the flag.

hashtag
Flag

c6e16a1b4182c2801ed657d4c482af88

PreviousBinary Gauntlet 0NextStonks

Last updated