Very Important Service. Flag in /opt.
nc importantservice.uni.hctf.fun 13375
a30577b33492f15d382ef665ee6abda2.tar.xz
a30577b33492f15d382ef665ee6abda2.tar.xz MIRROR

Let’s look at the file information first.

It is a 64-bit ELF pie executable which is dynamically linked and not stripped.

Let’s check its protections.

The binary is position independent and has a stack canary. Its stack is also not executable.

Let’s run it and see how it works.

It looks weird. Let’s decompile its main function and try to understand it further.

It reads values for width and height first. Then, reads another input whose length is equal to given width and calls the dologic function with those inputs. Let’s decompile dologic function as well.

It simply copies our input to create a width * height pattern. However, the characters are incremented by the row’s index. Finally, it prints this pattern string but it reverses it while printing. In the main function there is a check that prevents us from creating a pattern longer than 0x400 bytes. However, we can bypass it easily by entering 0 as height. Not only, it bypasses the length check but also it protects our input from getting modified by dologic function. However, we have just a one shot which means if we leak an address, then we cannot use it since the program terminates. If we try to overwrite the return address, the canary will be corrupted and the program will be terminated. Also, we cannot even call functions since the binary is position independent and we don’t know where it gets loaded.

Let’s look at the function table of the binary.

We have dologic function at 0x11bc and givemeshellpls function at 0x11a9. If you look at main function carefully, you will see that dologic gets called by a pointer which is stored locally. We can overwrite this pointer before it gets called and there is just a one byte difference between dologic and givemeshellpls functions. Since we know that the image base will be a multiple of 4096 bytes which is 0x1000. The last bytes of the functions won’t get affected by it. Therefore, we can change the pointer from dologic to givemeshellpls by overwriting a single byte.

The function pointer is located at [bp-20h] and our buffer is located at [bp-420h]. After 0x400 bytes we can overwrite the lowest byte of the pointer.

Here is the exploit script.

Let’s run it and get the flag.

Here is flag{deedl_deeeedl_deeeeeeeee}.