AAAAA- I'm not screaming, I'm just buffer overflowing my emotions!
screaming
Category
Points
Author
Reverse engineering
40
q
qvipin
Solves (259)
| 1 |  krississy | 12/02 3:01 pm |
| 2 |  .awesomeguy. | 12/02 3:03 pm |
| 3 |  mr_mph | 12/02 3:10 pm |
| 4 |  eth007 | 12/02 3:45 pm |
| 5 |  a5788g | 12/02 3:59 pm |
| 6 | cam1386 | 12/02 4:22 pm |
| 7 |  _avyra | 12/02 4:31 pm |
| 8 |  bigjango | 12/02 4:53 pm |
| 9 |  ilegosmaster | 12/02 5:31 pm |
| 10 |  dharneesh5555 | 12/02 5:40 pm |
| 11 |  pranavn | 12/02 5:49 pm |
| 12 |  ejee | 12/02 6:20 pm |
| 13 |  noatwill1024 | 12/02 6:41 pm |
| 14 |  amir213. | 12/02 7:46 pm |
| 15 | stick_2.o | 12/02 7:49 pm |
| 16 |  zir000 | 12/02 9:36 pm |
| 17 |  midnightfam | 12/02 9:47 pm |
| 18 |  org_bener | 12/02 9:50 pm |
| 19 |  booklover997 | 12/03 12:14 am |
| 20 |  wavefire_ | 12/03 1:52 am |
| 21 |  ryuun1corn | 12/03 1:55 am |
| 22 |  foodreaper | 12/03 2:25 am |
| 23 |  boomanten10 | 12/03 3:19 am |
| 24 |  uvuvue | 12/03 4:15 am |
| 25 |  aa2a9c53cbb80416d3b47d85538d9971 | 12/03 5:17 am |
| 26 | sleuth123 | 12/03 7:40 am |
| 27 |  saturn9 | 12/03 7:52 am |
| 28 | benishot. | 12/03 8:07 am |
| 29 |  genggx. | 12/03 9:45 am |
| 30 |  Ricker Wilkes | 12/03 4:07 pm |
| 31 |  Shrelic | 12/03 4:09 pm |
| 32 |  noahb1331 | 12/03 7:29 pm |
| 33 |  zzunaidd023 | 12/03 8:37 pm |
| 34 | monstermanyana_47633 | 12/03 9:16 pm |
| 35 |  nouxia | 12/03 11:07 pm |
| 36 |  dailybee13. | 12/04 4:57 am |
| 37 |  battersea | 12/04 8:33 am |
| 38 |  peterw18 | 12/04 9:13 am |
| 39 |  __j03 | 12/04 9:16 am |
| 40 |  _vow_ | 12/04 10:00 am |
| 41 |  dawiddym | 12/04 10:34 am |
| 42 |  peroneus502 | 12/04 11:34 am |
| 43 |  callmesaviour | 12/04 11:54 am |
| 44 |  p.s.y | 12/04 12:29 pm |
| 45 |  unpwnbl | 12/04 3:11 pm |
| 46 |  theapprocrastinator | 12/04 5:40 pm |
| 47 |  _4n3s | 12/04 6:22 pm |
| 48 |  godlyavenger | 12/04 9:48 pm |
| 49 |  razvan.iacob | 12/05 5:15 am |
| 50 |  minipif | 12/05 5:29 am |
| 51 |  ._e4gl3_. | 12/05 7:09 am |
| 52 |  stefanin | 12/05 8:39 am |
| 53 |  pligonstein | 12/05 9:26 am |
| 54 |  tudor | 12/05 10:42 am |
| 55 |  raul_26 | 12/05 12:46 pm |
| 56 |  zarnex__ | 12/05 2:11 pm |
| 57 |  lydxn | 12/05 10:48 pm |
| 58 |  theb4tmite | 12/06 9:41 am |
| 59 |  h3ri0s | 12/06 9:46 am |
| 60 |  junzhunozhu | 12/06 9:56 am |
| 61 |  silence_ | 12/06 10:08 am |
| 62 |  p33raw1t | 12/06 10:10 am |
| 63 |  heartstoller | 12/06 10:23 am |
| 64 |  kr4z31n | 12/07 6:26 am |
| 65 | thescientist101 | 12/09 12:52 am |
| 66 |  zsawk | 12/09 7:19 pm |
| 67 |  whoful | 12/10 4:52 am |
| 68 |  .mikey242 | 12/10 10:53 am |
| 69 |  riki_s | 12/10 12:06 pm |
| 70 |  yo8836 | 12/11 4:00 am |
| 71 |  lavamail | 12/12 1:43 am |
| 72 |  vaynard4695 | 12/13 12:19 pm |
| 73 |  ztz | 12/13 1:39 pm |
| 74 |  infernosalex | 12/14 3:33 pm |
| 75 |  andreicat | 12/14 3:38 pm |
| 76 |  sevgillim_. | 12/15 5:15 am |
| 77 |  sanskariwolf | 12/15 8:30 am |
| 78 |  branoodle | 12/15 9:59 am |
| 79 |  hiushieud22 | 12/15 11:58 am |
| 80 |  mobyduck | 12/15 2:15 pm |
| 81 |  d3dn0v4 | 12/15 4:21 pm |
| 82 | awdyan_ | 12/15 5:51 pm |
| 83 |  sr89 | 12/15 6:55 pm |
| 84 |  ret2libc | 12/15 7:28 pm |
| 85 | ljy4499 | 12/15 7:33 pm |
| 86 | mostafa__1688 | 12/15 8:24 pm |
| 87 |  mbvsthewrld | 12/15 8:44 pm |
| 88 |  ots3299 | 12/15 11:57 pm |
| 89 |  skkipie | 12/16 12:01 am |
| 90 |  pvpwarrior_ | 12/16 1:01 am |
| 91 | test123450604 | 12/16 1:03 am |
| 92 |  yomamafat6888 | 12/16 1:27 am |
| 93 |  lzutao | 12/16 1:53 am |
| 94 |  rex_i_a | 12/16 3:09 am |
| 95 |  athaw | 12/16 5:19 am |
| 96 | subu9800 | 12/16 6:57 am |
| 97 | benny_46903_75418 | 12/16 7:02 am |
| 98 | eminum3424 | 12/16 7:22 am |
| 99 |  puwanai.s | 12/16 7:46 am |
| 100 |  khavid | 12/16 8:50 am |
| 101 |  joeblack7788 | 12/16 8:57 am |
| 102 | rotzkokowski | 12/16 8:57 am |
| 103 |  trixai | 12/16 11:30 am |
| 104 | enigma_likes_flags | 12/16 11:41 am |
| 105 |  masquerade8077 | 12/16 11:51 am |
| 106 |  m0ns7er | 12/16 12:02 pm |
| 107 |  themole007. | 12/16 12:03 pm |
| 108 |  tchen | 12/16 12:07 pm |
| 109 |  colonneil | 12/16 4:57 pm |
| 110 |  ozrs2 | 12/16 6:17 pm |
| 111 | f00var | 12/16 8:06 pm |
| 112 |  mooder1 | 12/17 9:19 am |
| 113 |  andreww4364 | 12/17 2:32 pm |
| 114 |  __landon | 12/17 3:14 pm |
| 115 | skulobasket | 12/17 4:57 pm |
| 116 | kar_b | 12/17 5:45 pm |
| 117 |  coby_qv | 12/17 7:12 pm |
| 118 |  hep5 | 12/17 7:19 pm |
| 119 |  elijah5399 | 12/17 10:28 pm |
| 120 |  .hackboredzz | 12/17 10:42 pm |
| 121 | vuxnx_91621 | 12/17 11:26 pm |
| 122 |  jaxx0000 | 12/18 1:38 am |
| 123 | kush001607 | 12/18 2:15 am |
| 124 | fzhshzh_163 | 12/18 2:39 am |
| 125 |  mrmakare | 12/18 4:30 am |
| 126 | zytbxl | 12/18 5:30 am |
| 127 | johndoe6826 | 12/18 5:48 am |
| 128 |  georgechkhaidze | 12/18 9:33 am |
| 129 |  damian.28 | 12/18 10:09 am |
| 130 |  until_badao | 12/18 10:34 am |
| 131 | magic_kaito1412 | 12/18 10:51 am |
| 132 |  hash0xc | 12/18 12:38 pm |
| 133 |  abs8947 | 12/18 2:17 pm |
| 134 |  mini_ware | 12/18 2:17 pm |
| 135 |  dustcovers | 12/18 2:24 pm |
| 136 | nnhung37 | 12/18 8:43 pm |
| 137 | mostyx_56545 | 12/18 9:29 pm |
| 138 |  rew122 | 12/18 10:52 pm |
| 139 |  hehee_28473 | 12/18 11:44 pm |
| 140 |  rocky2020. | 12/19 12:05 am |
| 141 | m0h31h31 | 12/19 1:38 am |
| 142 | sneh_87592 | 12/19 2:23 am |
| 143 |  oreoenforcer | 12/19 3:18 am |
| 144 |  paraesport | 12/19 4:12 am |
| 145 |  helius1288 | 12/19 7:10 am |
| 146 |  thetrooper_ | 12/19 7:53 am |
| 147 | saik9415 | 12/19 10:20 am |
| 148 |  ryantstearns | 12/19 1:47 pm |
| 149 |  arlokkq | 12/19 3:43 pm |
| 150 |  ziadstr | 12/19 5:20 pm |
| 151 | samkumar2753 | 12/20 1:33 am |
| 152 |  akz_loid | 12/20 2:16 am |
| 153 |  minkuru_ | 12/20 3:14 am |
| 154 |  0sx86 | 12/20 3:48 am |
| 155 |  miles_ukr | 12/20 4:17 am |
| 156 |  ibarkay | 12/20 6:14 am |
| 157 |  mitotototo | 12/20 6:49 am |
| 158 |  modhub_real | 12/20 8:34 am |
| 159 |  mage9298 | 12/20 9:09 am |
| 160 |  jurf3889 | 12/20 10:32 am |
| 161 |  lalith_sai_x7777 | 12/20 10:54 am |
| 162 | c9550 | 12/20 12:32 pm |
| 163 | mtwiss_32447 | 12/20 3:37 pm |
| 164 |  scaryxnour | 12/20 4:58 pm |
| 165 |  olsujabu | 12/20 9:36 pm |
| 166 | installman. | 12/21 12:07 am |
| 167 |  hqky.2kruoi | 12/21 6:22 am |
| 168 | burning_53712 | 12/21 7:42 am |
| 169 |  kaizowe | 12/21 11:42 am |
| 170 |  manu7738 | 12/21 4:18 pm |
| 171 |  dudalp | 12/21 7:34 pm |
| 172 |  hoon2308 | 12/21 9:44 pm |
| 173 |  h45him | 12/22 12:43 am |
| 174 |  rjcyber | 12/22 3:23 am |
| 175 | spectre06872 | 12/22 5:13 am |
| 176 |  themujdii | 12/22 5:21 am |
| 177 |  .mindsystem | 12/22 10:22 am |
| 178 |  inoginn | 12/22 12:22 pm |
| 179 |  leslato | 12/22 7:19 pm |
| 180 | srik714 | 12/22 8:08 pm |
| 181 |  hola_senor | 12/22 9:00 pm |
| 182 |  captainbl | 12/23 2:24 am |
| 183 |  obet | 12/23 5:52 am |
| 184 |  aquarhead | 12/23 10:00 am |
| 185 |  aarondewes | 12/23 11:15 am |
| 186 |  re_tired | 12/23 1:29 pm |
| 187 |  iam_the_tea_guy | 12/23 3:06 pm |
| 188 |  astharot15 | 12/23 4:09 pm |
| 189 |  znatii | 12/23 4:29 pm |
| 190 | h3lpme2exp10it | 12/23 5:49 pm |
| 191 |  tomatoed | 12/23 6:53 pm |
| 192 |  _odinnopro | 12/24 1:48 am |
| 193 | delightful_dragon_28348 | 12/24 2:57 am |
| 194 |  yugi200 | 12/24 3:17 am |
| 195 | r1yhtp | 12/24 5:49 am |
| 196 | genseilni9593 | 12/24 9:44 am |
| 197 |  xtrimi | 12/24 10:10 am |
| 198 |  awwliveyet | 12/24 1:43 pm |
| 199 |  zabatmoncef | 12/24 3:19 pm |
| 200 |  ivanovich0114 | 12/24 4:54 pm |
| 201 | concealbear | 12/24 9:16 pm |
| 202 |  papa9995 | 12/25 12:15 am |
| 203 |  kineticallyunstable | 12/25 1:11 am |
| 204 |  anyzy. | 12/25 1:56 am |
| 205 | v3ged4g. | 12/25 3:31 am |
| 206 |  isee9917 | 12/25 6:51 am |
| 207 | busy_parrot_29341 | 12/25 7:34 am |
| 208 |  robert0wen | 12/25 7:51 am |
| 209 |  mattewastaken | 12/25 8:03 am |
| 210 | fisher_8 | 12/25 8:33 am |
| 211 | erodjan | 12/25 9:10 am |
| 212 |  darkity | 12/25 10:20 am |
| 213 |  grwna | 12/25 10:53 am |
| 214 |  leyo7 | 12/25 12:46 pm |
| 215 |  6oq. | 12/25 1:10 pm |
| 216 |  hanks2151 | 12/25 1:15 pm |
| 217 |  chappy_jethro | 12/25 1:37 pm |
| 218 |  predatormonarch | 12/25 4:51 pm |
| 219 |  m4422 | 12/25 5:50 pm |
| 220 |  tildenjackson | 12/25 5:54 pm |
| 221 | wilsonwei_cs | 12/25 11:17 pm |
| 222 |  sadfr0g. | 12/26 1:45 am |
| 223 | strapper1 | 12/26 1:47 am |
| 224 |  saint.sage | 12/26 3:17 am |
| 225 |  darkimoo. | 12/26 4:01 am |
| 226 | .brothersofdestruction | 12/26 4:25 am |
| 227 |  infamous6800 | 12/26 4:53 am |
| 228 | 0x0ffset | 12/26 5:02 am |
| 229 |  _vga_ | 12/26 6:07 am |
| 230 |  .jstr_ | 12/26 7:37 pm |
| 231 |  tyx2019 | 12/27 1:12 am |
| 232 | vifsh_01692 | 12/27 1:40 am |
| 233 | fakeaviationist | 12/27 2:54 am |
| 234 |  qwerty2119581 | 12/27 3:45 am |
| 235 |  friendly.spider | 12/27 5:24 am |
| 236 |  stoney9402 | 12/27 1:05 pm |
| 237 |  lamentxu | 12/28 2:22 am |
| 238 | meteor_kai | 12/28 3:13 am |
| 239 |  hotiker | 12/28 9:47 am |
| 240 |  neko4394 | 12/28 10:25 am |
| 241 |  pnk013 | 12/28 10:25 am |
| 242 |  baribal02 | 12/28 3:37 pm |
| 243 |  azooz24 | 12/28 5:21 pm |
| 244 |  5h1kh4r | 12/29 12:07 am |
| 245 | guohanming | 12/29 2:17 am |
| 246 |  siddhartha_hdk | 12/29 4:20 am |
| 247 |  drago0287 | 12/29 4:52 am |
| 248 |  fazect | 12/29 6:12 am |
| 249 |  rnvntd | 12/29 11:14 pm |
| 250 |  tharun21 | 12/30 4:00 am |
| 251 | user_03948 | 12/30 7:10 am |
| 252 | nian_30889 | 12/30 7:53 am |
| 253 |  dapinn0841 | 12/30 12:52 pm |
| 254 | jumbotron.__38029 | 12/30 11:40 pm |
| 255 | mahendra3279 | 12/31 1:21 am |
| 256 |  daynight253 | 12/31 3:45 am |
| 257 |  0xr1ck | 12/31 5:28 am |
| 258 |  supriyrathi | 12/31 7:27 am |
| 259 | buzhidao2945 | 12/31 10:02 am |
Submit flag
Discuss this challenge with others in #🎄丨advent-of-ctf on our Discord server.
Write-up
zarnex's write-up was selected as the best write-up submitted for this challenge.
View this write-up on GitHub$ file chall chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=69603fa57a0c6db8d144004964ce8f86db96f1f8, for GNU/Linux 3.2.0, not stripped
It seems as we are working with an ELF file, which is short for Executable and Linkable Format. Think of it as Linux's version of a .exe. Lets run the program.
$ ./chall give me flag! not that easy pal :|
Well, that didn't help much but a decompilation could! A decompilation is the output of a decompiler which tries to make sense of the machine readable code and represents it a higher-level, human readable language. A good free tool to get a decompilation is dogbolt.org. Let's analyze our file with it.
Interesting, it seems as that there isn't a direct path to the flag. This could be a Buffer Overflow where we overflow it by 1 more than the buffer (in this case it's 4080) and when it overflows it sets the value to True. Let's try to overflow it!
$ python3 -c 'print("A" * 4081)' | ./chall # I used Python here to print out a large sum of characters. -c to run a command from the terminal
not that easy pal :|
$ python3 -c 'print("A" * 10000)' | ./chall
Day 2 gotta keep it simple :) Here is the flag: csd{d4y_2_H0w_r_u?}
*** stack smashing detected ***: terminated
[1] 1371982 done python3 -c 'print("A" * 10000)' |
1371983 IOT instruction (core dumped) ./chall
Wow, so it seems as our decompilation had failed us and showed us an incorrect buffer so I put a random buffer of 10 KB and it seemed to have been enough. However with my testing, I had found another method to solve this which leads me to believe why they made an annoucement on changing the category.
Solution 2
(gdb) disas main
Dump of assembler code for function main:
0x000055555555527a <+0>: endbr64
0x000055555555527e <+4>: push %rbp
0x000055555555527f <+5>: mov %rsp,%rbp
0x0000555555555282 <+8>: sub $0x1000,%rsp
0x0000555555555289 <+15>: orq $0x0,(%rsp)
0x000055555555528e <+20>: sub $0xff0,%rsp
0x0000555555555295 <+27>: mov %fs:0x28,%rax
0x000055555555529e <+36>: mov %rax,-0x8(%rbp)
0x00005555555552a2 <+40>: xor %eax,%eax
0x00005555555552a4 <+42>: movb $0x0,-0xa(%rbp)
0x00005555555552a8 <+46>: lea -0x1ff0(%rbp),%rax
0x00005555555552af <+53>: mov %rax,%rdi
0x00005555555552b2 <+56>: mov $0x0,%eax
0x00005555555552b7 <+61>: call 0x5555555550d0 <gets@plt>
0x00005555555552bc <+66>: movzbl -0xa(%rbp),%eax
0x00005555555552c0 <+70>: test %al,%al
0x00005555555552c2 <+72>: je 0x5555555552d0 <main+86>
0x00005555555552c4 <+74>: mov $0x0,%eax
0x00005555555552c9 <+79>: call 0x5555555551c9 <win>
0x00005555555552ce <+84>: jmp 0x5555555552df <main+101>
0x00005555555552d0 <+86>: lea 0xd65(%rip),%rax # 0x55555555603c
0x00005555555552d7 <+93>: mov %rax,%rdi
0x00005555555552da <+96>: call 0x555555555090 <puts@plt>
0x00005555555552df <+101>: mov $0x0,%eax
0x00005555555552e4 <+106>: mov -0x8(%rbp),%rdx
0x00005555555552e8 <+110>: sub %fs:0x28,%rdx
0x00005555555552f1 <+119>: je 0x5555555552f8 <main+126>
0x00005555555552f3 <+121>: call 0x5555555550b0 <__stack_chk_fail@plt>
0x00005555555552f8 <+126>: leave
0x00005555555552f9 <+127>: ret
End of assembler dump.
(gdb) b* 0x5555555552d0
Breakpoint 1 at 0x5555555552d0
(gdb) run
Starting program: /home/zarnex/advent_of_ctf/chall
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, 0x00005555555552d0 in main ()
(gdb) jump win
Continuing at 0x5555555551d1.
Day 2 gotta keep it simple :) Here is the flag: csd{d4y_2_H0w_r_u?}
[Inferior 1 (process 1374232) exited normally]
(gdb)
Zarnex, what the hell is this? What i'm doing here is I am using a tool called a debugger which allows us to analyze the binary more dynamically. What I did was I first ran the program because of Address Space Layout Randomization (ASLR) which randomizes the memory addresses that the binary uses. If I didn't run it, the addresses would be completely different and I couldn't jump to win(). After I ran the program, I set a breakpoint at a random part of main before the check and then jumped to the win function which just printed out the flag.
Bonus: Solution 3
Looking at the win function we find this.
Now what is going on? It takes the hex string stored in &var_38 and XOR's it by 0xAA, so in theory we could just reverse that as seen in this Cyberchef Recipe.
Flag: csd{d4y_2_H0w_r_u?}
Need help with a challenge? Is a challenge broken? DM @ModMail in our Discord server.