This is the SharkyCTF 2020 write up.

This is quite newbies write up, so I will try my best to explain more in details. This is what I got:

Give away 0 (pwning)

This was the pwning challenge in sharky CTF.

  1. First, we download the source file and run file command to check the file type. We know that it is 64 bit binary files.
  2. I try reverse with radare2 and then I find in the vuln(), fgets() has the vulnerability.

    0x004006c8 sub rsp, 0x20 ;which mean the memory allocation is 32 character, but in the bottom
    0x004006d7 mov esi, 0x32 ;fgets obtain is 50 character, so the program may can exploit by buffer overflow.
  3. After look deep in the function, I found a win_func() which can launch /bin/sh which can get shell.

  4. So now, the goal is clear. We have to use fgets() to exploit with some payload and last return to win_func() to getshell in the server to get the flag.
  5. After the debugging with GDB (Yeah, that's the long process, I'm not going to show you), the payload of my python script is like this.

  6. The attack script is like this, we just fill 32 character with trash character and fill next 16 character with the address of win_func() because I just trying to force the address of win_func to fill the rsp register by using *2. If not, it will return segmentation fault. The last 'AA' is just want to fill all of the 52 character.
    payload=trash(32)+address of win_func(8*2=16)+trash(2)
    PS: The rsp need 64 bit address, so use p64() instead of p32().
  7. And then, connect to the netcat server, I get the flag.

Hope you guys enjoy this write up. Thanks to SharkyCTF to create this challenge. It is pretty awesome.