Thats still kindergarten stuff. Flag in /opt.
nc kindergarten.uni.hctf.fun 13373
48800cb1ffbd78f067d68425baa25d88.tar.xz 
48800cb1ffbd78f067d68425baa25d88.tar.xz MIRROR

Let’s start with looking at the file information.

It is a 64-bit ELF executable which is dynamically linked and not stripped.

Let’s take a look at its protections.

We have a non-executable stack and the binary is position independent.

Let’s run the program and play with it a bit.

It seems we are allowed read and write values of an array. However, we are also allowed to enter negative indexes which allows us to read/write from both directions.

Let’s look at the decompilation of its main function.

There is a boundary check for the positive values of index, but not for the negatives! Notice that the second scanf uses “%hhd” which means it reads a single byte. Still, we can read from and write to addresses one by one since there is an infinite loop.

Let’s look at the .bss section to find the array.

It is located at offset 0x4080 which is higher than Global Offset Table’s offset.

Therefore, we can leak addresses from GOT and even overwrite them. In order to calculate the libc base address, we can use [email protected]. Notice that we can’t use [email protected], because the got entries initially point to PLT section. When a function is called for the first time, its real address gets calculated by the PLT section and written to its GOT entry. If you look at main, the functions setvbuf, printf, and scanf are all called but not exit. It will be called when we exit the loop by entering a non-digit character. Our plan is to read the address of setvbuf and calculate libc base. Then, overwrite the address of exit to call arbitrary functions from libc. However, we have no control over the stack which means we cannot set parameters to registers using gadgets. Therefore, we cannot call system(‘/bin/sh’). Let’s try to find a one gadget in the given libc whose requirements are fulfilled.

We have the above one gadgets. Let’s set a breakpoint on the call of exit in main and check the constraints.

Since the RAX is 0, we can use the one gadget located at 0x45216. Now, we can create our exploit.

Here is the exploit script.

Let’s run the script and get our flag.

Here is flag{I_have_a_lack_of_creativity}.