CTFtime.org

basic-file-exploit

by s3pi0l / s3pi0l_solo

Rating:

# PicoCTF2022 : basic_file_exploit challenge writeup

Let's start by downloading the file from the link. We get the source code of the program with the flag redacted. The goal is to understand the program's logic and exploit it to get the flag.

The description tells us that the program allows to write to a file and read from it. One way we can go about this is to search directly for the line of the file in which the flag array is used. We end up in the `data_read()` function.

![image](https://user-images.githubusercontent.com/87393748/162401144-e4144095-1804-4272-bd7f-dea8268dc1f9.png)

The program asks to give the entry of the inserted data and then calls the `tgetinput()` function to get the input. The `entry` argument can be assumed to be the place where our input gets stored. This function also returns an integer, and if it's 3 it means that the user waited too long before supplying the input (the comment says it), resulting in the termination of the program. Now we get to the block which contains the flag.
The `strtol()` function is called and the returned value is checked to see if it's equal to 0. To find out what this function does, we can use the man page by typing `man strtol` in the terminal. That's what we get.

![image](https://user-images.githubusercontent.com/87393748/162403725-49e5e5ca-a072-4778-a062-d3ccb1a83db9.png)

The manual says that the *... function converts the initial part of the string in nptr*(our entry variable)*to a long integer value according to the given base ...*. So, in our case, the content of the entry variable, which is what we gave in input to the program, is converted to a long integer in base 10.
This value is then returned in the *entry_number* variable. So we can give a 0 in input, which will be converted to a 0 by the function. In this way the execution enters the block, where the flag is printed with the `put()` function.

Now we connect with netcat using the string `nc saturn.picoctf.net 50366`.

![flag](https://user-images.githubusercontent.com/87393748/162408156-1ae2666e-347e-4244-adb2-3719c1491817.png)

A menu is printed on the screen. If we try to get directly to the exploit part, it tells us that there's no data yet. So we first need to insert some data. We choose the first option and follow the instructions. Then it asks if we'd like to do anything else. We select the second option. At this point it will ask for the entry number of the data. Type zero, press enter and get the flag.

Original writeup (https://github.com/0xs3pi0l/CTF_writeups/blob/main/PicoCTF2022/basic_file_exploit/writeup.md).

Comments