Hello and welcome to the
functional programming challenge write up from UTCTF 2021.
If you are only interested in the exploit code, see here.
This challenge invites you to enter a list and then choose to apply a
on this list.
For that, it gives you the addresses of those functions and wants you to select
the one that will be executed.
Here an example of execution :
You can enter the function pointer you want so that’s how we will have RCE (Remote code Execution).
So let’s take a look at checksec :
The input array is on the stack but NX is enabled so the challenge is not about shellcoding. There is a stack canary but this it is neither about overflows.
In fact if we take a look at the function addresses we can apply by mapping or filtering,
there is a noticeable difference for the
abs function address
Here an example :
1 2 3 Increment: 0x5579b5eebab5 Positive: 0x5579b5eebac4 Abs: 0x7fb5132c8640
abs is a libc function.
So we have a given libc leak.
Now all we need to do is to use a libc database such as this website
to find the offset with the
system libc function.
We just have to fulfill our array with
/bin/sh (you have first to convert it into a int list)
And we are done !
The flag was
Thanks for reading !