Category: Binary Exploitation
The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it! Connect to the program with
netcat: $ nc saturn.picoctf.net 55197The program's source code with the flag redacted can be downloaded here.1local
Lets start by downloading the source code using:
wget https://artifacts.picoctf.net/c/490/program-redacted.cStarting with the main() function we're asked to make a choice:
puts("Hi, welcome to my echo chamber!");
puts("Type '1' to enter a phrase into our database");
puts("Type '2' to echo a phrase in our database");
puts("Type '3' to exit the program");Then looking through the rest source we find this in dataread()
if ((entry_number = strtol(entry, NULL, 10)) == 0) {
puts(flag);
fseek(stdin, 0, SEEK_END);
exit(0);
}Which tells us that the FLAG resides at phrase 0 in the 'database.' So connecing to the program using netcat, we select the first menu option and enter our data and its length:
└─$ nc saturn.picoctf.net 55197
Hi, welcome to my echo chamber!
Type '1' to enter a phrase into our database
Type '2' to echo a phrase in our database
Type '3' to exit the program
1
1
Please enter your data:
a
a
Please enter the length of your data:
1
1
Your entry number is: 1Now when prompted if we wish to do something else we select option 2 and for our data entry number we select 0, which should echo out the FLAG:
Write successful, would you like to do anything else?
2
2
Please enter the entry number of your data:
0
0
picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_25D6CDDB}picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_D870266B}
Footnotes
-
Included links to the source code may be out of date as they were what I recorded during the competition, and may be different now. ↩