Category: pwn
Author: s3nn__
Beth got transported to the future where she found Elliot; he needs her help to understand why...
Sometimes two knights are better than a bishop pair
250
Reveal Spoiler
This is a classic stack-based buffer overflow, however there are not traditional ROP gadgets that end with the ret instruction. Instead, players will have to use jump-oriented programming to construct a JOP chain. Roughly, the steps to solve are as follows:
- Calculate offset to RIP
- Overwrite RBP for later usage
- Overwrite RIP with stack pivot and start of JOP chain
- Craft JOP chain to call
execve('/bin/sh', ['/bin/sh', '-p', '0'])- this pops a shell on the target
- it also doesn't drop privileges; this is required because the binary has the SUID bit set and the owner of the binary and the flag is root
A solution that performs the above steps is provided in sol.py
Run against local docker container
python3.7 sol.py R LHOST
Run against CyberRanges (IP might change, so adjust the value of the HOST parameter))
python3.7 sol.py R HOST=192.168.125.11
Run against local binary
python3.7 sol.py