Pwnium CTF....but there is only one pwn problem. lol
(pwn100 was down.)
The problem gave us a host that we can login by ssh and do something.
Our goal is using the executable named
pwn200 to get the content of file named
flag under the same directory.
After using IDA to reverse the elf, we can find the vulnerability is in the fucntion
If we input a negative number, the elf won't initialize the variable
Therefore, we can control eax and execute arbitrary code.
We can't jump to shell code easily because of ASLR protection.
However, the program provide a magic function
test() which call
system() and just print
We can use ROP to do something to read flag.
With no difficulty, I found the ROP chain to call system and controll
esp to change the argument.
But where can I put the command to get flag ? I stuck in tis problem for a while.
Finally, I used the environment variable to solve the problem.
Set an environment variable as
cat flag with a lot of blanks. Like that:
DDAA=" "*130000+"cat flag"
Then we can guess the address of our environment variable.
It must be between
Once it was right in our guess, we can see the flag of pwn200.