Linux
ShofEL2, a Tegra X1 and Nintendo Switch exploit
plaidCTF 2014 - ezhp (pwn200)
For PlaidCTF2014, Eindbazen and
fail0verflow joined forces as 0xffa, the
Final Fail Alliance.
Don't miss out on other write-ups at Eindbazen's site!
Don't miss out on other write-ups at Eindbazen's site!
ezhp
Pwnables (200 pts)
-------------------
Luckily when you travel back in time, you still get to use all your
knowledge from the present. With that knowledge in hand, breaking
into this service (at 54.81.149.239:9174) owned by The Plague
shouldn't be hard at all.
To set the picture, let’s identify the binary
izsh@box:~$ file ezhp
ezhp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.24,
BuildID[sha1]=0x5fa5bd76db306497b549ea3b0466cd9e9afa2705, stripped
izsh@box:~$ readelf -l ezhp | grep STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
plaidCTF 2014 - tiffany (re300)
For PlaidCTF2014, Eindbazen and
fail0verflow joined forces as 0xffa, the
Final Fail Alliance.
Don't miss out on other write-ups at Eindbazen's site!
Don't miss out on other write-ups at Eindbazen's site!
tiffany
Reversing (300 pts)
-------------------
We want to get access to a server used by The Plague. Maybe if you
can find out what key is accepted by this binary you can find out
where or when The Plague is...
Yay, a Linux x86_64 executable! Let’s run it and see what happens, because what could possibly go wrong when running a random binary off the internet?
$ ./tiffany
This may take a while...
.......
Please enter a string: TEST
....
Sorry, wrong.
Well, that took 3 seconds to initialize and 5 seconds per input string character. Sure seems to be doing a lot of stuff. Let’s load it into IDA to get a general idea.