This challenge is very straight forward, this challenge is a buffer overflow challenge, we can get the flag just overflowing some value on the memory.
The first step is by looking the source code we given by downloading it from the description.
As we can see the goals is to change value variable hack_me to bigger then before, you can check that variable hack_me is check if variable hack_me is bigger then 0x2, which 0x2 is same as value of hack_me, and if we can change value of hack_me, the program will execute command using system function and will cat the flag.txt.
Now lets check the executable file using checksec.
As you can see PIE and STACK CANARY is disable, so this is indicate that the program has buffer overflow vulnerability.
Let’s run the program.
Program is asking for input and max digit is 10 digits, and if we enter it 10 char, it print “Ok thanks” then how if we add just 1 digit more? So in source code is already set our input is saved on buf variable which is has 10 space for our input, and if we input just 1 more digit, it will allocated our input to lower memory, now to confirm that, let’s open the program using gdb.
and let’s just set breakpoints after it ask for input which is after program call gets@plt
Let’s run it and see how it look on memory
here i input “AAAAABBBBB” to check how it look, as you can see on RSI our input is convert to hex, and let’s see how it look on memory
our input is stored on RSP register
now let’s run it and let’s add more digits in our input
Here i add 5 more digits, and you can see on RSI register only take 10 digit from our digit, and where is the rest? the rest input is overflowing the memory and write in memory variable hack_me.
I edit the source code to see if the variable hack_me is change or not, and help us to find the memory location of variable hack_me.
and using gcc to compile it:
gcc easy_beffer_overflow.c -o easy_overflow_edit -no-pie -Fno-stack-protector
and run it again with add 5 digits more as input.
and this is how it look the value of variable hack_me, and it try to cat the flag, but because i run it on local machine it can’t cat the flag, so let’s try connect to the server and add 5 digits more as input.
nc 18.104.22.168 29458
and there you go, we got the flag that easy.