What is going on here ?
I don’t believe you…
you are crazy !!!

(No ASLR)
nc 18.223.228.52 13337

believeMe

Let’s check the file first.

It is a 32-bit ELF file which is dynamically linked and not stripped. Let’s check the protections it have.

Its stack is not executable and it has a stack canary.

Let’s run the binary to see what it does.

It reads a string and prints it back to us.

Now, let’s check what functions it has.

The noxFlag function looks interesting. Let’s disassemble it.

It reads the flag from flag.txt and prints it to us. Thus, we need to call this function somehow.

Let’s disassemble the main function.

It reads up to 38 characters and if the string ends with a newline character, it replaces it with a null byte. Then, it uses printf to print this string back.

Let’s examine the stack by setting a breakpoint on fgets call.

The stack canary is at offset 64 and the return address is at offset 72. Therefore, we cannot use buffer overflow exploit to overwrite them. However, it uses printf to print our string back and we can use format string exploit to directly overwrite the return address without touching to the stack canary. Normally, we need a leak to know the stack address of the return address. However, the description of the challenge says ASLR is disabled on the server which means the addresses are always the same. We can use it to calculate the address before we create our exploit.

Let’s put a breakpoint on the printf call and examine the stack again.

At the offset 108, we see our return address which is 0xffffd2bc. At the offset 84, there is an address 0xffffd2c0 which is the 21th argument of the printf call. Now, we can leak this address from the server manually and calculate the return address by subtracting 4 from it.

Now, we know the return address is at 0xffffdd2c. We need to change the return address to 0x0804867b. We will achieve this using %hn specifier twice. First, we will write 0x867b to 0xffffdd2c, then we will write 0x0804 to 0xffffdd2e.

Here is the python exploit that does this.

Let’s run it.

The flag is noxCTF{%N3ver_%7rust_%4h3_%F0rmat}.