pwn

We have been provided with the C code for this challenge; #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { int id = 0; char name[16] = ""; printf("Input your name: "); gets(name); printf("Your name is %s with ID %d.\n", name, id); if (id == 1179402567) { printf("%s\n", argv[1]); } return 0; } As we can see, we are using the vulnerable gets function. We can use gets to overwrite the id variable which is just above the name variable on the stack....

This challenge provides us with the binary, so let us begin by printing the objects in the binary with objdump -t: SYMBOL TABLE: 0000000000000000 l df *ABS* 0000000000000000 crt1.c 0000000000000000 l df *ABS* 0000000000000000 crtstuff.c 0000000000403e60 l O .ctors 0000000000000000 __CTOR_LIST__ 0000000000403e70 l O .dtors 0000000000000000 __DTOR_LIST__ 0000000000402070 l O .eh_frame 0000000000000000 __EH_FRAME_BEGIN__ 0000000000401090 l F .text 0000000000000000 deregister_tm_clones 00000000004010c0 l F .text 0000000000000000 register_tm_clones 0000000000401100 l F .text 0000000000000000 __do_global_dtors_aux 0000000000404020 l O ....

Trying a variety of inputs over netcat, you’ll quickly discover two key pieces of information from the error messages: The characters ‘f’, ’l’, ‘a’, ‘g’, ‘.’, ’t’, ‘x’, ’t’, and ‘`’ are all blocked Our input can’t have more than eight distinct characters We can infer that our goal is something to the effect of making a system call like cat flag.txt in eight or fewer characters. Looking through Ruby’s pre-defined variables, we can see that $" denotes a long list of module names (loaded by require) which we can potentially character index and frankenstein together to write out “flag....