Debuggable-1
AAAAAAAAAAAAAAAAAAAAAAAAA
Files
looking at our files we have
Dockerfilerun.pyThe dockerfile isn’t really important just makes linux container with the flag at /app/flag.txt
In run.py we can see that the instance takes in an base64 encoded ELF file loads into gdb and runs the following commands
list /app/flag.txtqApproach
When compiling a program with -g the path to the source code is embedded in the binary
We can exploit this by directly changing the source path and source file name, making gdb list the contents of /app/flag.txt
However, list in gdb only works on functions, so we just have to make a function /app/flag.txt.
This will make gdb list the source code of the file, which we have set to /app/flag.txt giving us the flag
Solution
First we write a basic c program called sol123.c:
#include <stdio.h>void dummy12345678(){}int main(){}Next we compile with gcc -g sol123.c -fdebug-prefix-map=$(pwd)=/app. The -fdebug-prefix-map makes it so in our debug into it looks like our program was compiled from /app
Then we change the first sol123.c in our binary to flag.txt using sed or any file editor. We do the same for dummy12345678 to /app/flag.txt
For this to work that the names that we change must be the same length or it will mess up the binary
Now we convert our binary into base64 and send it to the instance giving us the flag
.;,;.{elves_dwarves_orcs_what_is_going_to_be_next}