Pwn

Description Can you use the portals to get to the right place? You are provided with a 32-bit executable: └─$ file portal portal: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=2777afda2049624cbbecde55650e58f347efcd29, for GNU/Linux 3.2.0, not stripped Using checksec on this binary reveals that there are no security defenses enabled: [*] '/home/kali/ctf/uscctf2024/pwn/portal/portal' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments Stripped: No This is a straightforward “return-to-win” challenge. Upon inspecting the binary with objdump, you can see that the function win is the goal: ...

tamuctf 2022: Lucky Author: nhwn Feeling lucky? I have just the challenge for you :D Reference I could not solve this on my own so I had to refer to this writeup: https://github.com/tj-oconnor/ctf-writeups/tree/main/tamu_ctf/lucky #include <stdio.h> #include <stdlib.h> void welcome() { char buf[16]; printf("Enter your name: "); fgets(buf, sizeof(buf), stdin); printf("\nWelcome, %s\nIf you're super lucky, you might get a flag! ", buf); } int seed() { char msg[] = "GLHF :D"; printf("%s\n", msg); int lol; return lol; } void win() { char flag[64] = {0}; FILE* f = fopen("flag.txt", "r"); fread(flag, 1, sizeof(flag), f); printf("Nice work! Here's the flag: %s\n", flag); } int main() { setvbuf(stdout, NULL, _IONBF, 0); welcome(); srand(seed()); int key0 = rand() == 306291429; int key1 = rand() == 442612432; int key2 = rand() == 110107425; if (key0 && key1 && key2) { win(); } else { printf("Looks like you weren't lucky enough. Better luck next time!\n"); } } In welcome() function, before fgets gets called, rbp-0x10 which is the address to buf is loaded into rax. I passed in aaaabaaacaaadaaaeaaafaaag, the buffer was filled with aaaabaaacaaadaa\0. ...