Starting place
PWN EASY - 346
We are being given a .out executable file for download, so we do and also a server to connect to, but I'm guessing that's just the same file running, so first we can give executable permissions to the file
Then execute it
The program first prints "Hi! would you like see the current directory?" and then waits for us to input something, then prints the directory, but what happens if we say no?
Weird enough, it still lists it out, let's decompile the executable using Ghidra
Now that we decompiled we can see what the program is doing and identify the vulnerability, so first it initializes a variable that will later be used for comparing the input, then the input_buff variable, for which it allocates 12 bytes on stack, which probably means that we will have to do some kind of buffer overflow, but let's not get ahead of ourselves yet, then it declares 3 more variables that aren't very clear, and are probably used for standard things, not necessarily specific to this challenge. Note: the 2 variables that don't have random names are manually renamed.
Now let's actually get into the main part of the code, the program starts by printing out "Hi! would you like see the current directory?" as expected, then we can see the vulnerability, the "read()" function allows more than 12 bytes to be stored in the "input_buff" variable, which is the amount of bytes allocated for that variable by the program, so we can conclude that the program has a buffer overflow vulnerability.
Now let's see what happens when we feed the program with more than 12 bytes of data
Interesting, so everything after the 12th character gets executed as a shell command, we could have also probably deducted that from the source code because we can see there is a "system()" function call there, so what if we actually try to give it a command to print the flag?
Looks like it worked! We successfully got the flag using a buffer overflow vulnerability.
Last updated
Was this helpful?
