Kendall was a 300 point "red" challenge - an exploitable. This was a pretty involved challenge but it was simple once you realized what you had to do. Launching the binary would start a forking server for some DHCP Management Console.
Playing around with the console, it's clear that authenticating is going to be integral to solving the challenge. The authenticate function opens a password.txt
file and compares it with your input. You would probably be able to use the strcmp
as a timing oracle to brute force the password, but that's kind of lame.
While reversing, we noticed the same strange function being used to read user input being used everywhere. Strange, mostly because it only accepted a size parameter. It didn't accept a destination buffer nor did it allocate space for one - it just used the same statically sized 128 byte long buffer in the .bss segment.