CTF Insomnihacking Teaser 2017 Challenge Write-up

February 7, 2017 | Views: 5579

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This challenge requires skills both in exploit development, reverse engineering and writing scripts using python. In this challenge we got a file named


After extracting this file we’ll be presented with two files; “baby” and “libc.so”. Our targeted file that we’re required to exploit is “baby”. As we get used to doing when analyzing and reversing binaries and files especially in the Linux environment of both 32 and 64 bit, we would like to get some information about the file.


As shown in the picture we got a DLL file which needs to be checked against the enabled security measures. We will use a tool called “checksec.sh” developed by “ slimm609”.


As we see above, we have PIE and NX enabled and that means that we cannot overwrite EIP using stack overflow simply because this file has ASLR and DEP enabled thus randomizing EIP each time. So we should leak some pointers and addresses by checking if there is a probability of “format string” vulnerability in place then we will leverage that to take advantage of libc base address and use that information to construct or ROP chain to bypass DEP and ASLR in order to drop our shell and pwn the system. First, let me show some approach on how to search for ROP gadgets and get them. If you have an executable file then use immunity debugger and use “mona” plugin developed by “corelanc”.

Use the following command in immunity debugger to get ROP Gadgets in separated “rop.txt” file

!mona modules
!mona ropfunc -m some.dll -cpb ‘\x00\x09\x0a’

Now “some.dll”  in the command is a DLL which has non-rebase, non-ASLR and no bad characters to make sure that the generated ROP chains are proper and effective to conduct the attack.

Now, in our case, we can use edb-debugger with ROP plugin to get’em. Basically, ROP chains end with “RET”

img-3 img-4

Now the interesting part which is the python script


Now let’s execute our pwn.py python script to see if we get the shell


…and voila, we got it.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?