Buffer Overflows: Cal Poly FAST CTF Challenge 5

File: file5.exe https://github.com/mfput/CTF-Questions/raw/master/file5.exe

Question: Here's a simple C program. What's the password? Format: "fastctf{flag}"

Hint: The C is so full, it's overflowing!

Answer: fastctf{badcodefails}

This challenge gives a simple C program and expects you to find that flag. Running file5.exe asks for a password, and if supplied the wrong the answer, quits.

Trying to brute-force what the password is not the desired method, but it can be done. Since the  format of the flag is in curly brackets, you can easily find the flag by searching through the strings of the file. Strings are literal strings of ASCII or Unicode characters inside files. There are many GUI and command line tools for finding strings. I like to use BinText on Windows (https://bintext.soft32.com/).

Not only can we see the flag “fastctf{badcodefails}”, but we can also see the correct password needed to display the flag was “thecorrectpassword”. If you did not use strings to solve this and instead looked at the hint “The C is so full, it's overflowing!”, then you may have deduced this can actually be solved via buffer-overflow. Below is what the C program looked like before I compiled it with GCC.

Note the buffer will read 64 characters. In this example the gets() function does not check the array bounds and can write a string with a length greater than the buffer itself. When more than 64 characters are entered into file5.exe, it overflows the buffer and overwrites the memory of the “pass” integer. So now that “pass” has been overwritten, it is no longer zero and the flag is printed since the if() function checks if “pass” is zero or not. Normally the if() function would only execute after “thecorrectpassword” is entered as it changes “pass” to 1.

In the picture above, 65 characters are inserted and the flag is printed. Now you learned a little something about buffer overflows!