McAfee ATR Hax

This CTF is a good experience for people who want to get started in the CTF field. Managed to solved a few challenges and will be uploading my solutions on github. Sadly, I will only doing a write up for the pwn challenge. If you need help from any of the other challenges that I managed to solve, do ping me on twitter or comment on the blog!

Scoreboard

First, we run checksec to check the permissions of the binary

[*] ‘/home/kali/Desktop/www_net’Arch: i386–32-littleRELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x8048000)

Fuzzing it a little, we get the crash at:

call strcpy@plt <strcpy@plt>dest: 0x804d1d0 ◂ — 0x0src: 0xffffd218 ◂ — 0xa61 /* ‘a\n’ */

This is a simple buffer overflow challenge. Fuzzing it a little, we see that we managed to overflow the buffer that is used by strcpy to copy the source and destination used.

(Failed) Method 1: Overwriting the esp

Overwriting the esp to the winner function will allow winner function to be executed. However this method failed because the program exit, socket closes without sending the flag back.

Method 2: Overwriting the GOT table of PUTS

Breakpoint at strcpy:

Src is pointing to winner function and destination is pointing to puts@got

Thus when puts is called, winner function will be executed instead.

Instruction jmp dword ptr [0x804c030] pointing to winner function

Flag

Learning point:

  1. Cannot overwrite esp because when program return, it will crash and the flag will not come back

My solutions:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store