Backdoor CTF was hosted on a weekday, so we only had the evening to grab as many flags as we could. Here’s how we solved team for 600 points.
The binary we’ve been given is a 32-bit ELF. The output of strings doesn’t give us much. Using strace ./team, it becomes clear that the binary reads from flag.txt so I created one locally. I echoed flag1 to the file and restarted the binary.
It asks for a team name and a flag. After receiving these values in heap buffers (non-overflowable as far as I could gather) it proceeds to read the flag from flag.txt. Then, it compares the user input to the flag using strcmp.
The team name is then printed using printf: this is vulnerable to a format string vulnerability:
Enter teamname: TEAM%llp
Enter flag: FLAG%llp
TEAM0x64 : incorrect flag. Try again.
Okay, so let’s have a look at the stack when we reach printf. It gets called at 8048711 to print the team name.