UTCTF 2022 writeup

CTF
This is a writeup for UTCTF 2022. The 0005 article.

Jump around

f:id:Berrys:20220314123537p:plain

We got an executable file called "jump".
First step, open it in ghidra.

f:id:Berrys:20220314121605p:plain

You can see the main function, but no function to show the flag is here. So, in this challenge, you need to call the get_flag function.

f:id:Berrys:20220314121926p:plain

Second step, debug jump with GDB.
You know the size of the local_78 variable has 112 characters. Now, see what happens if the size of input character has over 120 characters. (Tips: if an executable file is for 64-bit, you need to add 8 to variable for which you want to generate a buffer overflow. if 32-bit, add 4.)

f:id:Berrys:20220314121650p:plain

You can see a string "segmentation fault", and it shows the possibility of getting the RIP register. which is for next command. 126 characters is below.

f:id:Berrys:20220314121703p:plain

Now, you obtain RIP register. (0x414141414141 means "AAAAAA")
You need to set an address of the get_flag function to RIP register when you get it. (get_flag is at 0x0000004011ab)
Third step, do it like picture below.

f:id:Berrys:20220314121718p:plain

The cat command is used to display the contents of a file, however it is also used to input something using the nc command. In this case, use like "cat -".
Then, you will get shell. I used ls command to see what files are in this directory. Finally, you will get the flag.