Description
Can you figure out how this program works to get the flag? Connect to the program with netcat:
start the instanceThe program’s source code can be downloaded here. The binary can be downloaded here.
Solution
We can learn another function of gdb from this challenge.
In the question, we are asked to input the address of the win function.
Enter the address in hex to jump to, excluding '0x':How do we know we need the address of the win function?
We can check it from the source code.
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}To find out the address of the function, we can use the command info function.
(gdb) info function
All defined functions:
Non-debugging symbols:
0x0000000000401000 _init
0x00000000004010e0 putchar@plt
0x00000000004010f0 puts@plt
0x0000000000401100 fclose@plt
0x0000000000401110 printf@plt
0x0000000000401120 fgetc@plt
0x0000000000401130 signal@plt
0x0000000000401140 setvbuf@plt
0x0000000000401150 fopen@plt
0x0000000000401160 __isoc99_scanf@plt
0x0000000000401170 exit@plt
0x0000000000401180 sleep@plt
0x0000000000401190 _start
0x00000000004011c0 _dl_relocate_static_pie
0x00000000004011d0 deregister_tm_clones
0x0000000000401200 register_tm_clones
0x0000000000401240 __do_global_dtors_aux
0x0000000000401270 frame_dummy
0x0000000000401276 print_segf_message
0x000000000040129e win
0x0000000000401334 main
0x00000000004013d0 __libc_csu_init
0x0000000000401440 __libc_csu_fini
0x0000000000401448 _finiThen we can see the hex address of the win function.
The flag can be given if we input the address excluding 0x.
