McAfee ATR Hax
This CTF is a good experience for people who want to get started in the CTF field. Managed to solved a few challenges and will be uploading my solutions on github. Sadly, I will only doing a write up for the pwn challenge. If you need help from any of the other challenges that I managed to solve, do ping me on twitter or comment on the blog!
First, we run checksec to check the permissions of the binary
root@kali:/home/kali/Desktop# checksec www_net[*] ‘/home/kali/Desktop/www_net’Arch: i386–32-littleRELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x8048000)
Fuzzing it a little, we get the crash at:
0x80495ac <main+313>call strcpy@plt <strcpy@plt>dest: 0x804d1d0 ◂ — 0x0src: 0xffffd218 ◂ — 0xa61 /* ‘a\n’ */
This is a simple buffer overflow challenge. Fuzzing it a little, we see that we managed to overflow the buffer that is used by strcpy to copy the source and destination used.
(Failed) Method 1: Overwriting the esp
Overwriting the esp to the winner function will allow winner function to be executed. However this method failed because the program exit, socket closes without sending the flag back.
Method 2: Overwriting the GOT table of PUTS
Breakpoint at strcpy:
Src is pointing to winner function and destination is pointing to puts@got
Thus when puts is called, winner function will be executed instead.
Instruction jmp dword ptr [0x804c030] pointing to winner function
- Cannot overwrite esp because when program return, it will crash and the flag will not come back