The challenge give us a binary to exploit. At a first glance it doesnt seems to be a bugged binary but looking further after logged in (strings fil_chal give you easly the credentials) you see an info that will be written somewhere in a file. The number you'll be submit will be used in
v6 = atoi((const char *)&buf); *(_WORD *)a2 = v6; n = a2; v7 = recv(fd, &buf, n, 0);
recv(). The length of buf is 0x41c so we need to fill it with more than 0x41c
if ( (unsigned int)(a2 + 1) <= 0x400 )
How to bypass this one? Just insert a negative value like "-1" on entry info form for let the machine interpret it as 0xffffffff and give us on recv() enough length to overflow. The address I choose to jump in is taken from the stack using ret2ret. Once you got the stack addr from the server just compare it with the on you have obtained on localhost and calculate offset.
Here is the code to exploit:
In this task as the previous one an image was given. If you open it a board with some writings on appear. Well, nothing strange till now but where is the flag? After a bit of investingating it turns out that at 0014-0017 on the image there was the height of the picture so editing it with an enough large number the flag appears.
On this task a blank PNG image was given. But it's not that blank as you use colormaps. Open up GIMP and go to Image->Mode->Indexed. Now once it is indexed open up colormaps and give it some colors:
+100 for tasteless!
The challenge was consisting in gaining a note containing the key, from admin. In this site you can create, view you notes and also submit on "Optional Links" a link that will be visit by admin. So at this point the game is done just put on that a link that grabs the request headers the admin sends and infact on Referrer field there was the link pointing on keys' note.
The task gave us a binary which had a classic buffer overflow vulnerability but with a sort of canary protection. The vulnarability was in handle() function here:
recv(fd, &buf, 0x1000u, 0);
The canary was generate randomly with a time() as seed, so bruteforce is not the way. But just have a look at the source for get it:
v1 = time(0);
v2 = rand();
secret = v2;
v6 = v2;
*(_DWORD *)&buf = &buf;
send(fd, &buf, 4u, 0);
send(fd, &v6, 4u, 0);
As you can see the program provide the canary itself writing v6 on the socket. So now just exploiting, here is the code:
The shellcode is a common reverse shell that backconnect to your machine on the port you specified. But this is not enough infact if you tried the server will not backconnect this because you have to loop it till it backconnects.