Pwn :: ndalf - writeups

This was the easiest pwn challenge of the ctf. It didn’t require any overflow or anything.

Here’s the most interesting part of the program :

puts("\nSelect an action:");
puts("0 - Exit (like leaving the offic…");
puts("1 - Print favourite excel column");
puts("2 - Call Rebecca from front desk");
puts("3 - Get secret sauce (only for f…");
printf("Enter your choice: ");
int32_t input; // Lost a lot of time trying to figure out if this was overflowable
__isoc99_scanf("%d", &input);
important_work_or_attend_a_meeting();
if (input == 3)
{
    break;
}
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    input = -(input);
}
input = (input + 5);
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    print_flag();
}

The goal is to reach the print_flag function. To do so, we have to send the program a value that will be transformed in its negative value. After, 5 will be added to that value, and after this that number has to be less than zero to call the function. At first I thought that sending any negative number less than 5 would make the cut, but it did not, simply because the scanf function expects a %d, thus an integer.

For the x86 version of the challenge, we can see that the program contains the following functions :

gef➤  info functions
All defined functions:

Non-debugging symbols:
0x08048374  _init
0x080483b0  read@plt
0x080483c0  printf@plt
0x080483d0  puts@plt
0x080483e0  system@plt
0x080483f0  __libc_start_main@plt
0x08048400  setvbuf@plt
0x08048410  memset@plt
0x08048420  __gmon_start__@plt
0x08048430  _start
0x08048470  _dl_relocate_static_pie
0x08048480  __x86.get_pc_thunk.bx
0x08048490  deregister_tm_clones
0x080484d0  register_tm_clones
0x08048510  __do_global_dtors_aux
0x08048540  frame_dummy
0x08048546  main
0x080485ad  pwnme
0x0804862c  ret2win
0x08048660  __libc_csu_init
0x080486c0  __libc_csu_fini
0x080486c4  _fini

We get a bunch of not-so-interesting functions, as well as a main, pwnme and ret2win function. They are used for the following :

Posts for: #Pwn

Shc 2024 - Office program

ROP : ret2win (x86)