Greetings everyone!
This is going to be writeup about the challenge beginner-generic-pwn-number-0 of pwn category from RedPwnCTF 2021.

Challenge 1: beginner-generic-pwn-number-0
Running the binary with sample input test simply exited the program with no error code, while running the binary with very long input threw segmentation fault error. So, the program had buffer overflow vulnerability.

Then, I tried to find the number of bytes after which overflow occured. I printed a large number of ‘A’ character and passed it to the program, which caused program to crash with same segmentation fault error.

perl -E "print 'A' x 58" | ./beginner-generic-pwn-number-0


Then, I ran dmesg command to print the message buffer of kernel. 4
It can be seen that crash was caused due to the bad value of RIP register.
4141 are two extra A characters that buffer couldn’t handle, and thus it overwrote the instruction pointer.
As we printed out 58 A characters, and had two extra A’s, the required offset will be 58-2 which equals to 56.

Now, it’s time analyze the binary with radare2. I opened the binary in radare2 with command:
r2 beginner-generic-pwn-number-0, and analyzed the binary with aaaa.
I extracted the binary info with iI command.

As the binary didn’t have canary enable, and wasn’t stripped, exploiting it was easy.
Then, I printed functions list with afl, and seeked to the main function with s main.



Then, I printed the disassemble code of main function with pdf command. It can be seen that there is also an address 0x004012ac which calls shell.


7 As instruction pointer can be controlled , it is possible to jump to the address where shell can be executed.

I used pwntools to craft a simple exploit and got a shell.

from pwn import *

#elf = ELF('./beginner-generic-pwn-number-0')

#p = elf.process()


p = remote("", 31199)

payload = b"A"*56 + p64(0x004012ac)




And there it was, I got shell, and got the flag.

Hope you learned something.
Thanks for reading!

  • seizetheday