- col

March 25 2017

SSHing into the box, I am provided with the following source code in col.c.

#include <stdio.h> 
#include <string.h> 
unsigned long hashcode = 0x21DD09EC; 
unsigned long check_password(const char* p){ 
 int* ip = (int*)p; 
 int i; 
 int res=0; 
 for(i=0; i<5; i++){ 
 res += ip[i]; 
 return res; 

int main(int argc, char* argv[]){ 
 printf("usage : %s [passcode]\n", argv[0]); 
 return 0; 
 if(strlen(argv[1]) != 20){ 
 printf("passcode length should be 20 bytes\n"); 
 return 0; 

 if(hashcode == check_password( argv[1] )){ 
 system("/bin/cat flag"); 
 return 0; 
 printf("wrong passcode.\n"); 
 return 0; 

Reading through the source code, we need to provide a 20 byte long payload in the first user provided argument.

check_password() is run on the user provided input, which loops through the input - casted as 4-byte integer pointers. So the twenty pointer input is treated as 5 four byte values, which are summed and checked to see if they are equal to the hashcode provided value 0x21dd09ec.

We simply need to provide the following payload:

print '\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x

Which is due to the summation being the hashcode value:

In [4]: hex(0x01010101 * 4 + 0x1dd905e8)
Out[4]: '0x21dd09ec'

Running on the server pops the flag:

[email protected]:~$ ./col `python -c "print '\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x