XMM

Help Kenneth get the xmm!

Note 0: strings you see in the binary that have XXXX… or YYYY.. are patched for distribution, your goal is to find their true values through the remote service.

Note 1: Getting a shell is NOT the goal of this challenge. If you get one on the remote it should not be that useful.

Files given:

This binary simply executes any shellcode we give it. However if we try a execve('/bin/sh') shellcode, we see that our user has basically no permissions on the server, hence we need to get the binary to read itself as suggested by the hint.

We notice that the flag is located at 0x495060 and to print this, we simply hijack one of the print calls, which can be found 0x2b before the call to our code is made, hence we simply jump there and print out a decent chunk of the binary which contains our flag.

Shellcode:

b"\x48\xc7\xc6\x60\x50\x49\x00", # mov  rsi, 0x495060 <- location of flag
b"\x48\x8b\x04\x24", #  mov  rax, qword ptr [rsp]
b"\x48\x83\xe8\x2b", # sub  rax, 0x2b <- printing out stuff
b"\xff\xd0", #  call rax

The solution script can be found at exploit.py

Flag: CTFSG{xmm_hunter_1337}