Skip to content

Files

Latest commit

 

History

History

pwn2

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
ctf.xinetd
ctf.xinetd
 
 
docker-compose.yml
docker-compose.yml
 
 
pwn2.c
pwn2.c
 
 
pwn2.zip
pwn2.zip
 
 
solve.py
solve.py
 
 

README.md

Pwn2

Description:

Here's another pwn challenge! Let's see if you can run your own assembly!

`nc <ip> <port>`

[pwn2.zip]

Writeup

This challenge involves using shellcode to pop a shell. A stack leak (the exact address of the input buffer actually) is given, and then an overflow allows you to set $rip to the start of the shellcode. The shellcode must fit in 64 bytes, which is enough for most online snippets. The solve is automated in solve.py.

Flag - byuctf{$10_says_this_one_is_harder_than_pwn3}

Hosting

pwn2 was compiled with the command gcc -fno-stack-protector -z execstack -o src/pwn2 pwn2.c.

This challenge should be a Docker container that runs the binary pwn2 on port 40000 each time someone connects. All the proper files are included in here. The command to build and run the docker container is (when located inside of this directory):

docker compose up -d

To stop the challenge:

docker compose down