Back to Blog
Dragonbox box 25/15/2023 If we provide a token like A:B*0x140, this will overflow g_password and overwrite g_flags.Īs this was the only obvious bug, I found on first glance, I checked, where g_flags is used. So, we can send 0x200 bytes as “authentication token” and the get_user function will take the string at the beginning of our token as username, then searches for : and takes everything after as password and then strcpy it into g_username and g_password. static void set_user ( const char * username, const char * password ) Static char g_username static char g_password. Skimming through the provided source code, a buffer overflow on bss can be spotted. The server process would send our request to the daemon, which then checks, if the user is allowed to access the file and answers the server with either yes or no. It would then spawn a daemon, which communicates to the service via a socket. It spawns a server process, to which we can connect and request a file. This challenge is running on Ubuntu 20.04.Ĭlarification: “/proc” is not mounted in the challenge setup.ĭragonbox was kind of a file download service. There is a limit of one instance per team. Warning! Connections to the spawned instance will be limited to the IP address which connected to the launcher (below address) and spawned the instance. You can find your team token in “edit profile”. Connect to below address to spawn your team dedicated instance of the task.
0 Comments
Read More
Leave a Reply. |