> For the complete documentation index, see [llms.txt](https://soyabeanboi.gitbook.io/bag-of-flags/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://soyabeanboi.gitbook.io/bag-of-flags/2023/magpiectf-2023/no-password-here.md). # No Password Here ## Description > Hello B-Team, > > Here is one of the vaults that have a flag we need. There's a message associated with the vault, written as follows: > > > Don't even think about trying the password because I do not know the password either. I already informed my employees not to use "gets" when writing programs so what could possibly go wrong? > > Good luck,\ > HQ ## Yes Password There We are given a `Code.c` source code file ```c #include #include #include #include void main() { char flag[120]; setvbuf ( stdout, NULL , _IONBF , 0 ); char Test[20]; //random number based on the current time. //YOU WILL NEVER GUESS THE PASSWORD. HAHAHAHAHHAH srand(time(0)); sprintf(Test, "%d",rand()); char input[20]; printf("Enter something?"); scanf("%s",input); //Check password if (strncmp(Test,input,20) == 0) { FILE *f = fopen("flag.txt","r"); fgets(flag,100,f); printf("Password is correct! Here is your flag: %s", flag); } } ``` As cruelly pointed out by the comments, the password is quite random and likely not reasonably guessable, so let's try looking into the replacement function for "gets": `scanf` We have an char `input` buffer of size 20, however what happens if our input exceeds this value? Our goal is to get `strncmp(Test,input,20) == 0` to be true, so the program will open `flag.txt` and print it out for us. How can we do that? There's no way we can guess what `Test` is, so what else can we do? Let's think about the memory stack for a moment, since we know `Test` was stored on it. First, we allocate a 120 character array for `flag`. Then, we allocate a 20 character array for `Test`. Finally, we allocate a 20 character array for `input` Our stack looks something like this: ``` 0 ... 20 0 ... 20 0 ... 120 | ----- input ----- | ----- Test ----- | ------- flag ------- | ``` If we send in some user input, `scanf` will consume the allocated memory like so: ``` 0 ... 20 0 ... 20 0 ... 120 | Hello\0 ... | ----- Test ----- | ------- flag ------- | ``` However, if our input exceeds the boundaries for `input` we will overwrite the password `Test`, and if we do enough, we can get `input` and `Test` to be the same! For our payload, spam in a bunch of "A"s and the flag will print ## Flag `magpie{5c4nf_n07_54f3}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://soyabeanboi.gitbook.io/bag-of-flags/2023/magpiectf-2023/no-password-here.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.