Court of Analysis and Testing

  Okay next, let's solve the 3rd challenge Don't forget to run it first so we know how the program work ok so the program greet us with some kind of hex value that I expect it was some memory address inside the program. When we enter some strings it doesn't give us anything. let's load our binary to Ghidra and when I dump all the functions the only functions that caught my eyes are main and echo. The main function doesn't have any particularly interesting function so lets just to the echo function. Notice that there is gets function again and we should have the ability to cause a buffer overflow in the program before we start to do some fuzzing, load the binary to Ghidra so we have a more depth understanding of the code. hmmm, notice that the printed address is the address of the variable that stored our input. I assume we should use that address to place our shellcode but we will get into that later. create a pattern so we know how ...

Alright let's move to the second challenge of the pwn CTF Try to run it first so we know what we up against hmmm, ok I try to enter something and nothing happen I assume we need to find the correct string to trigger something in the program. load it to peda and look at the disassembly code. As we can see there is function name "one" and "two" that will print if function one called "This is function one \n" and if function two called "This is function two \n" the first two mentioned function is not interesting, let just quickly analyze main and move to select_func. in main function, it clearly indicates that we can overflow the binary since it's using gets function after that our input is passed to the select_func dump the select_func assembly code and try to type "checksec" to see what kinda protection used in the binary. One that is caught my eyes is the PIE (Position Independent Executable) ok so...

It's been a couple of days since I started learning about pwning, I guess it's time to test it by doing some CTF challenges. the following CTF resources come from https://github.com/tamuctf/TAMUctf-2019 kudos to the author of the GitHub page We are going to start at the first challenge and the next blog will be second and so on... Let's run the binary to know what we are dealing with. As you can see it need some input we are going to dissect the binary using radare2 and when I try to understand the flow of the program I found out that it has three string comparisons using strcmp.   the first two checks are completely straight forward. Our first string (s1) in the first check will be compared against ebx-0x159f and our second string (s1) in the second check will be compared against ebx-0x154d But the third check is comparing us with hex decimal value (0xdea110c8). So what is var_10h, if we try to compare it with the actual source code you can s...