[payload] = <addr_of_ret> <addr_of_ret+4> <format string> We must pad the number of bytes printed so that %n writes the correct value.
Challenge type: Binary exploitation (pwn) – 64‑bit Linux Difficulty: Medium / Hard (depends on the exact variant) Points: 500 (CTF typical) TL;DR – The binary is a simple “crack‑the‑code” game that reads a user‑supplied string, checks it against a secret flag stored in the binary, and then prints “Access granted!” on success. The binary contains a classic format‑string vulnerability that lets us leak the address of the secret and later overwrite the check function’s return address to jump to win . By combining an info‑leak with a one‑shot ret2win payload we obtain the flag. Below is a step‑by‑step walkthrough that shows the thought process, the tools used, and the final exploit script (Python + pwntools). Feel free to copy the script and adapt it for the exact binary you downloaded from the short link. 1. Getting the binary The challenge link ( https://bit.ly/crackfire ) resolves to a zip file containing: https- bit.ly crackfire
Invalid code! Try again. If you guess correctly you get: By combining an info‑leak with a one‑shot ret2win
We’ll use the syntax to reference the n‑th argument directly. 7. Crafting the write payload We want to write the address of win (e.g., 0x5555555552f0 ) into the saved RIP located at stack position 3 (the third argument after the format string). the tools used
Pseudo‑code:
$ ./crackfire Welcome to CrackFire! Enter the secret code: > If you type anything other than the hidden code you get:
[0] pointer to format string (our input) [1] saved %rbp of main [2] saved RIP of main <-- target [3...] other registers / args By printing many %p s we can see where the saved RIP lands. Example payload: