Description

[EN]
This time the programmer did a better job to hid his flag. But the problem still: It’s vulnerable. Can you obtain the flag?
Send to 209.190.1.131 9003
NOW WITH SECRET BONUS!

[PT-BR]
Dessa vez o programador caprichou um pouco mais na hora de esconder sua flag. O problema que continua vulneravel. Consegue extrair a flag?
Envie para 209.190.1.131 9003
AGORA COM BONUS SECRETO!

Solved by 32 teams
Bonus solved by 5 teams

binary

Resolution

This is a pretty simple challenge, we wanted to write about the bonus part but we might as well give a write-up for the first part.
We have a standard binary:

The main is just a simple gets(bufonStack), so we can ROP.
A given set of function is given for us to grab the flag, so we end up with the following script:

Now for the bonus part!
We can’t really tell why, but even with a newline terminated string, the output wasn’t correctly flushed. The only way to flush was to call exit(). Given the fact was the binary is a 32 bits one, the entropy for the libc randomization by ASLR is only a few bits (16 bits according to wikipedia), given a fixed system address, we have 1 chance on 65536 to get it right, that’s not much!
So we did the exploit in 2 parts, first one we leaked an address with the following ROP:

With that, we have a randomized libc address: 0xf75bdf30
We now identify the libc using libc database => archive-glibc (id libc6_2.24-3ubuntu1_i386)
And we calculate system address => 0xf75af020

And then we bruteforce with this script:

It takes a short amount of time to get a shell (few minutes).

Flag is: 3DS{n0_symb0l5_w1th_R0P_15_p41nful_r1ght}
Bonus flag is: 3DS{fb1d92953253c7d79b50fbe1c0ca8abd}