For full text search please use the '?' prefix. e.g. ? Onboarding

Entity

Target Information

  • IP: 161.35.36.157:32290

Exploitation

  • Running telnet 161.35.36.157 32290 gets me into the server and runs the attached C code.

  • Going through the program, the (R)un ~> (L)ie down option spits out 43174422884.

  • The (C)ry option calls the get_flag() function, which returns the flag if DataStore.integer == 13371337.

  • The set_field function sets the DataStore.integer value to the value of a sscanf call, but it exits the program if the value is 13371337.

    This means that we can't set the value to 13371337 directly, but we can hopefully overflow it. The sscanf call is sscanf(buf, "%llu", &DataStore.integer).

    (T)ry to turn it off ~> (L)ie down ~> "Maybe try a ritual?" allows us to enter the text. The maximum 64-bit integer is 18446744073709551615, so we can subtract 13371337 from that and make it negative to overflow the unsigned long long to the correct value. This value is -18446744073696180279.

    (T)ry to turn it off ~> (L)ie down ~> "Maybe try a ritual?" ~> -18446744073696180279, unfortunately, is also detected by the program and exits.

  • The DataStore.string can be set to an 8 character string, indicating that it is likely used somehow to set the integer value since they are both the same length.

    The set_field function calls memcpy(DataStore.string, buf, sizeof(DataStore.string)) to set the string, which can possibly be used to overflow the integer value. Running (T)ry to turn it off ~> (L)ie down ~> "Anything else to try?" ~> 133713371337 sets the string to 13371337 and the integer to 3977579182370796337, which probably isn't supposed to happen.

    Doing the same thing with 1 as the input sets the string to 1 and the integer to 2609, which is a sign that we are going in the right direction.

    • 10 sets integer to 667697
    • 50 sets integer to 667701
    • 99 sets integer to 670009
    • FF sets integer to 673350
    • \\ sets integer to 679004
    • ff sets integer to 681574
    • \n sets integer to 683612
    • 100 sets integer to 170930225
    • 001 sets integer to 170995760
    • 999 sets integer to 171522361
    • Up key (^[[A) sets integer to 172055323
    • abc sets integer to 174285409
    • 1337 sets integer to 43875775281
    • 7777777 sets integer to 736117774387459895
    • 18446744073696180279 sets integer to 3761692294704805937
    • -18446744073696180279 sets integer to 3762535611533635885