BigBoy - PWN 25 - CSAW 18

This was the first task I solved during the CTF, our mission was to determine the offset where the EAX register is compared and achieve the condition.

let's get started, the first thing I did is to run gdb-peda and disassemble the main function.

img1.png

Here we have a simple read() function then the EAX register is compared to this hexadecimal value 0xcaf3baee and finally we've got a jump (jne), if the condition is met it will jump to the rum_cmd (main+122) function that executes the shell.

Now our next mission is to determine the offset where the hexadecimal value is checked.

img2.png

In this case, I already put a breakpoint after the read() function then I generate a simple pattern. I run the binary and I passed the pattern as input then I'll verify the value of $eax , this will help us find the offset.

img3.png

img4.png

Now we could write a script to complete the process.

flag.png

FLAG : flag{Y0u_Arrre_th3_Bi66Est_of_boiiiiis}

This article is my 2nd oldest. It is 163 words long