x64 ROP

Intro Overflow the buffer and change the return address to the flag function. We are given the compiled binary, the application source code along with the hostname and port to connect to. #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFFSIZE 64 #define FLAGSIZE 64 void flag() { char buf[FLAGSIZE]; FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag....

Investigation When connecting to challenge server on the given hostname and port, it is an echo server which echoes back the user input in alternate case. $ nc mercury.picoctf.net 37289 WeLcOmE To mY EcHo sErVeR! test TeSt ^C We are given following files: $ ls -lR .: total 20 drwxr-xr-x 2 kali kali 4096 Nov 9 00:32 libc -rw-r--r-- 1 kali kali 95 Mar 15 2021 Makefile -rw-r--r-- 1 kali kali 8560 Mar 15 2021 vuln ....