[CSAW 2016] PWN: Warmup Writeup



So you want to be a pwn-er huh? Well let’s throw you an easy one šŸ˜‰
nc pwn.chal.csaw.io 8000


Let’s connect to the server and play with it a little bit:

The program says “WOW:” followed by a memory address. This address is probably the address of the function we need to execute. Let’s open IDA to view the code:

This is a classic BOF (Buffer Overflow) case. The main methodĀ uses theĀ gets() function toĀ receive theĀ given inputĀ and returns it. gets() is storingĀ 64 characters (40h). Because there is no validation of the given string we need to supply an input that will exploit the program and make it jump to the wanted address:Ā 0x40060d.

A short python script will do the job:

And we got the flag: FLAG{LET_US_BEGIN_CSAW_2016}


Leave a Reply

Your email address will not be published. Required fields are marked *