Game Rules

Overview

In each lab, you need to solve a set of challenges. In each challenge, you have to submit two things, namely, a flag and its writeup via submission site: the flag you got from the challenge and the write-up that summarizes how you formulated the exploit (see below).

A flag is an ASCII string that matches with a regular expression of is521{[^}]+}, and you can find it either in the challenge program or in the challenge directory (usually as a ‘flag’ file). Your job is to read this flag by exploiting the distributed challenges.

Instructions

  1. Get your account
  • We wil register and send your account with SSH keys for connecting CTF servers through your mail. If you haven’t got this information, please contact to us.
  1. Connect to the course server
# login to the course server
[host] $ ssh YOUR_IDID@teemo.kaist.ac.kr -i YOUR_KEY_LOCATION/id_ed25519 -p PORT

# let's start lab01
[CTF_server] $ cd /is521/
[CTF server] $ cd lab01
[CTF server] $ cat README
  1. Submit your solution and flag
# Submit Flag
1) Visit the scoring website
   https://teemo.kaist.ac.kr:8443

2) Choose the challenge name from the correct lab

3) Submit the flag!


# Submit Writeup
(will be announced later)

Write-up sample

You should submit a write-up for each exploit to get actual point.

  • Your write-up should be written in Markdown .
  • Your write-up should contain both simple description about how to solve the challenge and the actual exploit.
  • You don’t need to submit write-up for tutorials and the first lab.
## Description

In this challenge, ebp and the return address are protected by stackshield.
By doing debugging, you can see all ebp and ret values are keep tracking and
storing somewhere. However, when you make an input large enough, you will see
that a function pointer will be overwritten. And the overwritten value will be
store in EAX and make it jump at <main+96>. I put my shellcode as env, get the
address, and put it. In my case, the function pointer(0x08048b0a at 0xbffff654)
was overwritten. So we could learn, we could jump using the weakpoint even
though the stackshield is working on.

## Exploit
```python
  #!/usr/bin/env python3

  import os
  import sys

  from pwn import *

  payload = cyclic(100) + p32(0xbffff654)
  p = process(["/is521/lab02/func_ptr/target"])
  p.sendline(payload)
  p.interactive()
```

## Collaborator: Insu Yun
- I asked a question about how to get the core file from the server