Binary Gauntlet 1

Problem

Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853

Solution

  1. 1.
    Decompile the binary using Ghidra:
    main function:
    undefined8 main(void)
    {
    char local_78 [104];
    char *local_10;
    local_10 = (char *)malloc(1000);
    printf("%p\n",local_78);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    printf(local_10);
    fflush(stdout);
    fgets(local_10,1000,stdin);
    local_10[999] = '\0';
    strcpy(local_78,local_10);
    return 0;
    }
  2. 2.
    Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of local_78 is printed at the beginning of the program.
  3. 3.
    We can write some shellcode to local_78, pad out to the return address, and overwrite the return address with the address of local_78 that is printed at the beginning.
  4. 4.
    Run the solution script and then run cat flag.txt to get the flag.

Flag

c6e16a1b4182c2801ed657d4c482af88