VolgaCTF short writeup(interstellar, tiny_bash, mathproblem, pwnie)

Categories CTF

VolgaCTF is over and I wrote this short writeup for later reference.

1. pwnie

This program does not enable NX protection, so we can use shellcode, the input buffer size is 0x40 and output buffer size is 0x80, a format string vulnerability can be exploited to smash the output buffer. Note that “\x63” is striped to prevent we use %n to overwrite return address.

However, stack cookie is enabled to prevent trivial stack smash. To get the stack cookie, we should first read it by exploiting format string vulnerability.

In the second connection, we first overwrite the return address, then we recover the stack cookie, then the shellcode(split in two parts and send in the reverse order due to input buffer restriction) , at last we send ‘exit’ and should get the flag.

ps: shellcode must contain’\x00′ so that we can split it in two parts.

2. math problem

As stated, this task is a math problem, four integer is used to generate an expression which evals to the fifth number. I found a reference on github and modified it to generate expression. After 30 rounds we can get the flag.

3. interstellar

firstly, I wrote a C program using gmp library to convert the binary magic number into digits. Then I decode this magic number using a python script.

ps: this program enable anti-debugging, we can patch it to bypass the defense.


4. tiny_bash

This program mimic a secure shell which prohibits some commands, however, if we add a prefix ‘\x00’ to our commands, the check is directly bypassed and we can execute arbitrary shell commands such as cat *flag*>&4 .


No Comments

Leave a Reply