Ayo, Johhny’s got your take from the job.
Go meet up with em’ to claim your share.
Oh, and stop asking to see the Mona Lisa alright. It’s embarrassing

nc 18.191.244.121 12345

lisa

Let’s check the file information first.

It is a 32-bit ELF pie executable. Let’s check its protections as well.

Also, the file’s stack is not executable.

Let’s decompile its main function.

It allocates a memory for the server-side password and gives us the address of it. Then, it reads a password from stdin and calls checkPass function.

Let’s look at the checkPass function.

It compares the passwords. If they match, lisa gets called. Otherwise, fail gets called. The function lisa simply prints a Mona Lisa ASCII Art with flag inside of it. Notice that fail function has a char pointer parameter called buf. That looks interesting. Let’s decompile fail function.

It reads 29 bytes into buf. Notice that buf is located at [bp-18h] which means the return address of checkPass function is at buf+28. Therefore, we can overwrite the last byte of the return address.

Let’s look at the disassembly of the main to perform better calculations.

The program moves esp to ebp and pushes ebx onto stack which decreases esp by 4. Then, it subtracts 0x30 from esp which makes esp equal to ebp-0x34. Notice that after every call the parameters from the stack are cleared. Therefore, we know that the esp value will remain as ebp-0x34 when we return from the checkPass call. Notice also that the password supplied by the user is stored ebp-0x34, thus we have full control over the stack!

Since we can only change one byte of the return address, we cannot go much further. How about jumping back to the _read call that is located at 0xD15? We know the address of memory where the real password is stored and we have full control over the stack. We can simply call _read such that it reads an input from stdin and writes it to the address of the password. After that, the checkPass will be called and since we have entered the both passwords, they will match. Finally, lisa will be called and we will get our flag.

Here is the exploit script:

Let’s run the script.

Here is the flag TUCTF{wh0_pu7_7h47_buff3r_7h3r3?}.