# Hacking Tube

## DEFCON CTF 2015 Quals -- r0pbaby

Category: Baby's First
Points: 1

r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me:10436

64 bit ELF. No stack guard, but it has NX & PIE protection.

The service will give you a menu first:

Welcome to an easy Return Oriented Programming challenge...
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit

Th first one will print out the libc.so.6's address, which contains the real libc base address. The second one will ask you to input a libc function's symbol, and print out the function's address. The third one will ask you to input a number(string length) and a string.

After we check the binary with IDA Pro, we found the following informations:

Our input will be stored at nptr first, then it'll be memcpy to savedregs. Let's check the location of savedregs:

Right on the rbp!

So everytime we choose 3) and input something, it'll be copy to rbp, which means we can overwrite the return address. Since the binary has the NX protection, we better try the return-2-libc attack.

The key point is to find a useful gadget. At first I try to leak the libc's base address, and attempt to guess the libc's version so I can calculate the /bin/sh and pop rdi, ret gadget. But I end with failure, since there's no other memory leakage vulnerability. At this moment, my teammate bananaapple propose a solution: How about we find a gadget that's inside a function?

For instance, if we want to find a gadget pop rdi, ret, since pop rdi, ret = 5f c3 in machine code, we'll just have to find a functions that contains 2 bytes data 5f c3, then we can calculate the offset and get the gadget's address.

Using the aforementioned method, we quickly found that 5f c3 was at _IO_proc_open + 0x34d and /bin/sh was at _libc_intl_domainname + 0x0242. With these informations, we can now construct a ROP chain and exploit the service:

Flag: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?