05 - passcode

The Challenge

Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that?

ssh passcode@pwnable.kr -p2222 (pw:guest)

Examining the Code

The main function calls welcome and login directly after

Welcome

It receives a 100 character string, prints it, and then exits. This can not be overflown but may be used later.

Login

It seems we need to make passcode1 and 2 equal to 338150 and 13371337, but proper examination shows that we can't write input into these variables because scanf is misused! Both variables are missing & at scanf call, and so we will change the variable pointers, not value.

Executing the Binary

First execution - passcode1 is a number

Second execution - passcode1 is a string

It seems the program is not interacting properly with regular input. What's going on?

Let's debug this thing.

Debugging

We'll examine the stack at the beginning of login after inputting the longest allowed input, all made of 'a'.

Some of the input made its way here. Does this help us? Look closely

This is the location of passcode1. What do we find there?

The last four bytes of our input! So, we can control the value of passcode1. What can be done with it?

If you recall the examination of the code, the value requested from the user will be written to the location pointed by passcode1. Where should we make it point?

The GOT Table

TODO

r < <(python3 -c "import sys; sys.stdout.buffer.write(b'\x41' * 96 + b'\x04\xa0\x04\x08\n' + b'134514135')")