# Binary Exploitation (pwn) ## Pwnterpolations First step is to check the binary information using `file` and the protections used in compilation using `checksec`

Now I've highlighted 3 main parts, these are usually the parts we wanna try to focus on in the `file` output feel free to do some research on what each part means.

Nothing interesting here, no canary, no PIE and Partial RELRO, could be anything except shellcode injection since NX is enabled. We're given an ELF binary, after decompiling the binary using ghidra, we find the following code:

Analyzing the code, we find that the flag is imported into the binary and stored into a variable, then uses `fgets` to take the user input, and prints that input using `printf` One thing we know is the following: * This isnt a shellcode injection for the reason stated above * This isnt a ret2win challenge, since there isn't a stack overflow vulnerability with the usage of fgets and specifying the exact amount of bytes to be taken. let's see how ChatGPT does with our analysis.

If we ask ChatGPT for further explanation or do some reading on format string vulnerabilities, we'll find that we can leak variables off the stack using such vulnerability.

if we try out the vulnerability, we see that we're leaking addresses off the stack, and we know that the variables in this program are stored on the stack, let's keep leaking until we find something weird. After leaking a few positions on the stack we find that position 8 is a little interesting.

This is too long to be an address (addresses are either 4 bytes for 32-bit systems or 8 bytes for 64-bit systems), then this must be the content of a variable, let's try decoding it using [cyberchef](https://gchq.github.io/CyberChef/) of course knowing it's running on little endian we have to swap endianess then decode from hex:

Hmm interesting, this is the start of the flag format... After leaking the positions that follow 8 (9,10,11) and doing the same we see more of the flag is showing up:

Keep doing this and you'll get your flag :) Of course this is peasantry...

Now let's stop with the peasant ways and solve the challenge with a script, here's a script that solves our challenge in a cooler manner: ```python from pwn import * from pwnlib.util.packing import * context.binary = binary = ELF("./chall") context.log_level = "error" p = process() p.recvuntil(b'> ') for i in range(8,13): p.sendline(f'%{i}$p'.encode()) out = p.recvline().strip().decode() out = p64(int(out[2:],16)).decode() print(out,end='') p.close() # for i in range(1,40): # p = process() # p.recvuntil(b"> ") # tst = f'%{i}$p' # p.sendline(tst.encode()) # out = p.recvline().strip().decode() # p.recvuntil(b"> ") # try: # print(i, (p64(int(out,16)))) # except: # continue # p.close() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l0mb4rd.gitbook.io/home/ctf-stuff/playgroundsctf-24-writeups/binary-exploitation-pwn.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.