Hopscotch

One childhood pasttime I never got to experience much is Hopscotch, a game where you jump and hop over boxes to reach to the goal.

Won’t you play with me?

Files given:

This challenge is a simple shellcoding exercise.

Challenge details

There is no canery and NX bit is not set, furthermore the address to our input is printed, hence it we need to give it a proper shellcode to run.

We have a 48 byte array that we can write 96 bytes to, allowing us to overflow the return pointer. However, there is a variable right after the array acting as a ‘canery’ and is checked against 1337, so we will have to take care of that when overflowing.

The difficulty lies in the fact that when we input our payload, the 9,21,33,45th bytes are set to 0, hence we need a shellcode that has those as well.

There are 2 immediate ideas that comes to mind, a very short jump or moving 0 to a register. We can try out these in shell-storm and prepare our shellcode there. For instance the following are viable options to use when needing a 0:

Using this we get shell and a with one very lazy grep command, we obtained the flag!

ariana@ariana ~/D/S/2/W/Hopscotch> py exploit.py remote
[+] Opening connection to chals.whitehacks.ctf.sg on port 20401: Done
[*] Switching to interactive mode
Enter input: $ grep -rnw "WH2021" / 2>/dev/null
/home/hopscotch/flag.txt:1:WH2021{8a11f6615742a_h0p_st3p_jUMp_Dr3w_Dr@w_dr@wN}

The solution script can be found at exploit.py

Flag: WH2021{8a11f6615742a_h0p_st3p_jUMp_Dr3w_Dr@w_dr@wN}