Camp CTF 2015 - Bitterman

00:00 - Introduction 01:20 - Using CheckSEC to explain the binary protections that can be applied. 02:45 - Running the binary to discover a segfault with long string of A's 04:10 - This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instruction Pointer) 04:30 - Using Pattern Create to identify where we can overwrite RSP 05:15 - Using PwnTools to create a skeleton exploit 07:20 - Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset Table) Address for PUTS so we can use ROP to write to the screen 09:00 - Using R2 (radare) to find the location to a pop rdi function 09:45 - Building the gadget chain to print the location of PUTS 12:20 - Packing the addresses in our exploit with p64(), then showing the leaked address 14:00 - Storing the leaked address as a variable so we can convert it to hex 15:50 - Memory address retrieved! It changes every time the program loads, so adding a ROP back to MAIN 18:50 - Looking for a SYSTEM() Address with ReadElf 19:00 - Using strings to find the location of "/bin/sh" within libc 19:55 - Using the leaked addresses to find where libc is loaded 24:50 - Fixing up some memory addresses then getting a shell! 25:10 - Using Pwntools to the max! Having it automate a lot of stuff. 25:50 - Mapping the ELF + LIBC within PwnTools 26:45 - Using PwnTools to build the ROP Chain to leak PUTS 28:15 - Using PwnTools to rebase LibC From our memory leak 29:00 - Using PwnTools to pull the SYSTEM and /bin/sh information from LibC 30:30 - Debugging some errors then getting a shell! Bitterman: https://github.com/ctfs/write-ups-2015/blob/master/camp-ctf-2015/pwn/bitterman-300/bitterman?raw=true Good Links. PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html Great Writeup to similar CTF Challenge: https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop