Note: All the related files that are mentioned in this post can be found here.
Category: Pwn
We were given a server(and a sample ELF file), containing a roulette game. If we guess correctly every round & win enough points - we’ll get the flag.
Solution
The intended solution involves integer overflow, insecure PRNG & leaking values using another bug(format string).
However, during the CTF, I found an un-intended pathway to exploit the roulette game & get the flag.
The format string payload(in num_rounds
) will overwrite the ‘score’ pointer value on the heap(this pointer is located at the 12th element on the stack) with the value 10000001
, allowing us to affect the jle
instruction(below).
If the jump will not be taken, we will win the game & get the flag.
output from server:
You Won!
The Flag is: MCL{I_HOPE_YOU'LL_BE_HAPPY_NOW}
(: