pwnable.tw
tutorials
CTF
hacking
beginner
flag
binary exploitation
pwn
This is the writeup for the challenge start from pwnable.tw. This is the very first challenge on the website and a simple one for that matter. There is a simple buffer overflow on the binary but no jmp to esp gadget, so we need to create a rop chain to find the address of esp and then jmp to it in order to make the binary execute our shellcode.
That being said let's get started.
We can download the binary from the site and throw it in gdb to get a closer look.
The binary is small and has no main in it, I'd say it's handcrafted for this challenge. Thus reversing it should be pretty easy. Let's start with the _start function.
Looking at the asm we can see there are a total 2 syscalls (i.e int 0x80) in one the al (i.e low 8 bits of eax) is 0x4 (i.e write) and other one the it is 0x3 (read). Let's start understanding the asm instruction by instruction.
It seems like we have a buffer overflow vuln here. Lets try out by giving a really long string to find the offset.
We find the offset at 20. Now all we need to do is find a gadget for jmp to esp. Since there is no such instruction on the binary, we will need to create a rop chain to leak the address of esp and then manually jmp to esp.
Examining the binary carefully we see that there is an push esp at the top of the binary and an add esp,0x14 at the near end of _start.
Cool. So the attack will be to leak the esp on the first run then go back and give the payload with shellcode and gain shell. There is no nx so shellcode should work. UwU .
keeping that in mind the. We know that the first thing pushed on stack was esp. So after we have given our input (our given input will overwrite the stack in place of string "Let's start the CTF:") and popping of 20 bytes of data (with add esp,0x14) and the exit address in _exit, we will have only esp on the stack. Thus if we will overwrite eip with a call to write syscall (present in binary) we can leak the address of esp.
After the write syscall the program continues the flow and asks for our input again.
The stack will look like this when we will give our second input.
Stack grows from high to low. esp points at the top of the stack. Now when we add 0x14 (i.e 20) to our esp, the esp will point to starting of shellcode. So we will over eip with esp+20 so the eip goes to shellcode directly and we will have a shell.
Thus the exploit will look like this:-