247CTF - Easy Pwn Challenge Writeups

Hidden Flag Function

Can you control this applications flow to gain access to the hidden flag function?

[foto]

Given the binary "hidden_flag_function" and running a file against it:

Looks like a *nix x86 binary.

Running the binary, a text appears on the screen asking us if we have to say anything, let's say a lot of "A", as this is a pwn challenge, we should try to find a crash to exploit it :)

After several attempts, I found the crash occurred when writing the 72th "A".

Checking the security of the binary, we can see the following:

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial
gdb-peda$

By opening up the binary with Ghidra, we can decompile the main() function:

undefined4 main(void)

{
  undefined *puVar1;
  
  puVar1 = &stack0x00000004;
  setbuf(stdout,(char *)0x0);
  puts("What do you have to say?");
  chall(puVar1);
  return 0;
}

And we see the puts() function with the text "What do you have to say?". Then the function chall() is being called with puVar1 as an argument.

Looking at the chall() decompilation:

void chall(void)

{
  undefined local_4c [68];
  
  __isoc99_scanf(&DAT_08048713,local_4c);
  return;
}

We can rename the local_4c variable to input as we can control it:

void chall(void)

{
  undefined input [68];
  
  __isoc99_scanf(&DAT_08048713,input);
  return;
}

As the challenge name is Hidden Flag Function, there should be a function named "Flag" or similar. By searching on the Ghidra functions tab, we can find one named exactly like that, which decompiles into:

void flag(void)

{
  char local_50 [64];
  FILE *local_10;
  
  local_10 = fopen("flag.txt","r");
  fgets(local_50,0x40,local_10);
  printf("How did you get here?\nHave a flag!\n%s\n",local_50);
  return;
}

Basically local_10 is storing a pointer to the flag.txt file value when using the fopen() function as read-only, so we might want to rename it to "flag" to make it easier to read:

{
  char flag [64];
  FILE *local_10;
  
  local_10 = fopen("flag.txt","r");
  fgets(flag,0x40,local_10);
  printf("How did you get here?\nHave a flag!\n%s\n",flag);
  return;
}

Searching up the fgets() function declaration on google:char *fgets(char *str, int n, FILE *stream)

We can 3 arguments:

  • char *str = flag
  • int n = 0x40
  • FILE *stream = local_10 -> Pointer to a file object ("/tmp/flag.txt") that identifies the stream where characters are read from.

(Not finished yet)