redpwn-2020

CTF Writeup - https://2020.redpwn.net/

View on GitHub
26 June 2020

coffer-overflow-0

by raghul-rajasekar

Can you fill up the coffers? We even managed to find the source for you. nc 2020.redpwnc.tf 31199

Files:

Solution

The source file contains the following code:

#include <stdio.h>
#include <string.h>

int main(void)
{
  long code = 0;
  char name[16];
  
  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)");
  puts("What do you want to fill your coffer with?");

  gets(name);

  if(code != 0) {
    system("/bin/sh");
  }
}

It’s clear that we just have to change the value of code somehow to get shell access. Since buffer overflow from name will leak into code first, any suitably-sized input (I used the input ABCDABCDABCDABCDABCDABCDABCD of length 28 bytes) would grant shell access.

Flag

flag{b0ffer_0verf10w_3asy_as_123}

tags: