This is the first challenge in the P0wn3d series. While reviewing the attached files, I noticed that the source file in C was included, so I skipped running checksec on the ELF (Executable And Linkable Format).
Analyzing the code, it is a Buffer Overflow with a guard:
A structure is declared as packed, which ensures that there is no padding between buf and guard in the stack. This means we will find 32 bytes (for buf) followed immediately by 4 bytes (for guard, as int is 4 bytes).
Continuing to read, I found a get_flag function that reads from the flag.txt file and prints its content. In the main function, we find the actual vulnerability:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
structdatafirst_words;ignore();/* ignore this function */printf("Hello little p0wn3r. Do you have any first words?\n");fgets(first_words.buf,64,stdin);sleep(2);puts("Man that is so cute");sleep(2);puts("I remember last year people were screaming at the little p0wn3rs.. like AAAAAAAAAAAAAAAAAAAAAAAAAAAAA!");sleep(2);puts("Don't worry little one. I won't let them do that to you. I've set up a guard");if(first_words.guard==0x42424242){get_flag();}
The vulnerability lies in the use of fgets(). As we can see, it reads 64 bytes from standard input and stores them in the variable buf, which we previously determined to be only 32 bytes in size.
Therefore, if we input more than 32 bytes, we will overwrite data beyond the allocated buffer for buf. Since the next variable in the stack is guard, writing 4 bytes beyond buf will overwrite its value.
Now, let’s move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
Buffer Overflow
🎯 Solution Path
Exploitation Steps
Initial setup
To call the get_flag() function, we need to enter the if statement that checks whether the guard variable is equal to 0x42424242.
Converting this value (0x42) to an ASCII character gives us:
Ascii Value Of 0x42
Since 0x42 repeats a total of 4 times, our payload must include B*4.
Exploitation
To construct the final payload, we first need to fill the buffer of the buf variable, which we determined to be 32 bytes, and then overwrite the guard variable with B*4 to enter the if statement and trigger get_flag. Since each character occupies 1 byte, we can directly write a payload like this:
1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
That is, A*32 (to fill the buf buffer) and four Bs to overwrite guard and enter the if statement. Since this payload is quite simple, I sent it directly using Bash:
redirecting the output of python via | directly to netcat. This way, when input is requested and expected in stdin, it is automatically sent as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB (the output from Python). Doing this, I obtained the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit simply connects to the server and first sends a padding of A*32, followed by B*4 to bypass the guard and call the function to obtain the flag.
