The challenge flag was of reverse engineering category. Reverse Engineering is a handy skill to have while pwning binaries. The challenge gives only a binary and which mentions that it has allocated a malloc and saved the flag in that. So let’s start the challenge.
Let’s read the prompt and download the important files to our box.
wget http://pwnable.kr/bin/flag
chmod +x flagLet’s give the binary a dry run and see what happens.
./flag
I will malloc() and strcpy the flag there. take it.The binary says its has stored the contents of flag in the malloc that it created. So this should be easy, we open the binary in gdb and grab the contents that its strcpy to the malloc.
gdb ./flag
info fun
There are no functions or calls in the binary. This is weird. On first glance this weird behaviour is difficult to analyze.
One of the reasons that the binary shows no function in the gdb could be it is packed with upx. The man page of upx states that:-
UPX is a portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers *very* fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression.Now let’s unpack the binary with upx and analyse it in the gdb again.
upx -d flag -o flag2
Now when you open it in gdb and check for functions you’ll be able to see more data than earilier.
gdb ./flag2
info fun
That being said, now all we need to get the flag from the malloc.
rni).We see that, first a malloc is being created with argument 0x64 i.e 100.
And we see the flag being passed to malloc occupied memory.
Flag is:
UPX...? sounds like a delivery service :)