Skip to content

Quizploit

vuln.c:

cat vuln.c 
#include <stdio.h>
#include <stdlib.h>

/*
This is not the challenge, just a template to answer the questions.
To get the flag, answer all the questions. 
There are no bugs in the quiz.
There are 0xD questions in total.

*/

void win(){
        system("cat flag.txt");
}

void vuln(){
        char buffer[0x15] = {0};
        fprintf(stdout, "\nEnter payload: ");
        fgets(buffer, 0x90, stdin);
}

void main(){
        vuln();
}

GDB output of ./vuln:

(gdb) disas win 
Dump of assembler code for function win:
   0x0000000000401176 <+0>: endbr64
   0x000000000040117a <+4>: push   %rbp
   0x000000000040117b <+5>: mov    %rsp,%rbp
   0x000000000040117e <+8>: mov    $0x402004,%edi
   0x0000000000401183 <+13>:    call   0x401060 <system@plt>
   0x0000000000401188 <+18>:    nop
   0x0000000000401189 <+19>:    pop    %rbp
   0x000000000040118a <+20>:    ret
End of assembler dump.

file ./vuln:

./vuln: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19251d430d5dd4b44a3e8489a8c76f1894676f7d, for GNU/Linux 3.2.0, not stripped

checksec --file=./vuln:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   40 Symbols    No    0       1       ./vuln

Quiz Answers

  1. 64-bit
  2. dynamic
  3. not stripped
  4. 0x15
  5. 0x90
  6. yes
  7. fgets
  8. win
  9. buffer overflow
  10. 0x7b
  11. NX
  12. ROP
  13. 0x401176