Stacking Flags
metactf
Task: a remote service runs a non-PIE binary with a 64-byte stack buffer fed by gets() and a hidden win() routine that prints the flag. Solution: overflow 72 bytes to overwrite saved RIP with the fixed win() address and return directly into the flag-printing function.
$ ls tags/ techniques/
Stacking Flags — metactf
Challenge
A server at nc.umbccd.net:8921 is hosting the same code, but theirs has a flag, retrieve it. https://github.com/UMBCCyberDawgs/dawgctf-sp26/tree/main/Stacking%20flags
We are given the source for a small 64-bit ELF and a remote host running the same program. The goal is to redirect execution into the hidden win() function, which opens flag.txt, prints its contents, and exits.
Analysis
The vulnerability is immediate: vulnerable_function() allocates a 64-byte stack buffer and calls gets(buffer). Since gets() performs no bounds checking, we can overwrite saved control data on the stack.
Several binary properties make this a textbook ret2win:
- Stack canaries are disabled by
-fno-stack-protector. - PIE is disabled by
-no-pie, sowin()has a stable address. - NX is irrelevant because we do not need shellcode; we only need to return into an existing function.
On x86_64, the overwrite distance to saved RIP is 72 bytes: 64 bytes for the buffer and 8 bytes for saved RBP. The remote banner confirmed win() at 0x4011a6, so the payload is simply padding followed by that address in little-endian form.
Exploitation
...
Permission denied (requires auth)
Sign in to read this free writeup
This writeup is free — just sign in with GitHub to read it.
$ssh [email protected]