Rating:


## System DROP

*static Analysis*
- This was a 64-bit elf binary that was not stripped and that was dynamically linked.
- There was no `canary` and `pie` enabled in the binary. `Partial Relro` was also enabled.

*Dynamic Analysis*
- The binary did not do much that it got our input using `read` and exited.
- There were 2 functions `_syscall` that gave us a `syscall` gadget and `main` function
that was used to get our input.

### Exploitation

- There is a buffer overflow at offset `40` we can control our return pointer.
- This was not the intended way of exploitation but the exploitation was as follows

* Leak the address of libc using `write syscall` since we can control the value of
`rax` using read.

* Look up the address of libc leaked and using `rop` return to libc that is call system
and the address of `binsh`

- The final exploit is [exploit.py](exploit.py)

Original writeup (https://github.com/mutur4/CTF-WRITEUPS-2021/blob/main/CyberApocalypse/system%20dROP/README.md).