The piece of code we’re working with today is quite simple. The program reads our input using gets, which a known vulnerable function, as it has no validations about the length of the data that it’s receiving, and so it can write outside of it’s intended bounds. In this case we have to overwrite key, which is an argument of the function we are exploiting; To the untrained eye, this might seem impossible as it might seem outside of the execution context that we’re in while inside the function, but function arguments are pushed onto the stack when a function is being executed, so we can overwrite it just like any other local variable, we just need to go further down the stack than usual (as it was pushed before all our variables inside the function)
Bernardo’s Happy Little Blog
So, after starting Flare-On X, I quickly found out that I was in for a lot of pain if I was to try to take it on with my current skill-set, so I’m starting fresh from the first edition of the project:
This challenge is pretty trivial, looking through the code we can find a function that seems to do some encoding operations to a hardcoded secret.
Flareon 10 - X# As I can’t physically dedicate myself to only one project at a time, I decided to check out the latest version of the long running Flare-On CTF.
Opening up the folder provided, we are met with a lot of files. As I wouldn’t call myself an expert, or even moderately experienced in Reverse Engineering, this is enough to start psyching me out 😅.
But onwards I went and opened up X.
This challenge is a bit more challenging than the last one, in this one we’re presented with a binary that asks us for some input and seems to reject us if we don’t provide it the flag.
Opening this up in Ghidra we can format the main function to look something like this:
bool main(void) { int isValidPassword; void *input; input = calloc(0x32,1); puts(&DAT_00102008); __isoc99_scanf(&DAT_0010203b,input); isValidPassword = validate(input); if (isValidPassword == 0) { puts(&DAT_00102050); } else { puts("Right this way.
This challenge is very basic and only requires us to run the strings command on the binary and grepping for the flag, so
strings ./strings | grep pico picoCTF{sTrIngS_sAVeS_Time_3f712a28} solves this challenge.
This is the first challenge of this guide/course, so as we can expect, it’s very handhold-y, which is good, because even though I think I solved this challenge among the years, I can’t say no to some extra help when starting something new.
(I’m copying the questions directly from the post because the initial challenge doesn’t seem to be up anymore)
Question 1 - What is the value of dh after line 129 executes?