Hector Martin

Ok, lets go ahead and wrap this up. Last part is wrapping everything up, and that means we need to actually /call/ execve("/bin/sh"). (icymi, execve = libc func to execute binary in place of current thread). This means we just need to get $eax -> str("/bin/sh") at this point.

We have 2 options: 1. ROP, which would def work but finding a gadget to get data out of the BSS and into $eax sounds like a pain. 2. see if we can get the putchar caller to load a full 4 byte word into $eax instead of just 1 byte, like putchar expects. Let's try #2

...but I'm kinda tempted to just see if I can also load an arb stack pointer and get rop of some kind. Let's see where this takes us.

...which makes me think that there's a good chance that this is definitely not how we're expected to do this. ROP in libc works, sure, but I'd like to figure out what they also expected me to do/find here.

Sometimes the fun in CTF problems is doing it the way they *didn't* expect you to do it. At last CCC's CTF we solved a challenge1 one way, then challenge2 worked with the exact same code. There was supposed to be an "easier" way for challenge1... but it looked more annoying.

Yeah, I understand, but the thing is that I know the overarching "more challenging" methods for writing exploits. These are meant to teach tricks 1 by 1 and I'd like to figure out what the tricks are here that I'm missing. At least, I think that's reasonable?