basic-file-exploitation
basic-file-exploitation
Problem Description
Author: Will Hong
Description
The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it!
Connect to the program with netcat:
$ nc saturn.picoctf.net 52681 **
The program’s source code with the flag redacted can be downloaded here.
Write Up
The provided file program-redacted.c contains the code running on the server.
The function which will display the flag is below.
static void data_read() {
char entry[4];
long entry_number;
char output[100];
int r;
memset(output, '\0', 100);
printf("Please enter the entry number of your data:\n");
r = tgetinput(entry, 4);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
if ((entry_number = strtol(entry, NULL, 10)) == 0) {
puts(flag);
fseek(stdin, 0, SEEK_END);
exit(0);
}
entry_number--;
strncpy(output, data[entry_number], input_lengths[entry_number]);
puts(output);
}
The flag will be displayed if entry_number is 0.
The data_read() function cannot be called until the database has been populated with at least 1 entry.
Combining the database being filled and exploiting the program is shown below.
Hi, welcome to my echo chamber!
Type '1' to enter a phrase into our database
Type '2' to echo a phrase in our database
Type '3' to exit the program
1
Please enter your data:
1
Please enter the length of your data:
1
Your entry number is: 1
Write successful, would you like to do anything else?
2
Please enter the entry number of your data:
0
[REDACTED]
This will cause the program to print the flag and exit.
Flag
picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_1B9F5942}**
** Note these are user specific and will not work for you.