This reversing challenge is a good example of how you can solve a problem a few different ways. I initially solved this challenge symbolically (which i believe is the easiest way, actually). However, the challenge can also be solved dynamically which is what the authors intended. I will go over both solutions here.

 

$ file neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029 
neophyte_reversing_ccabcc8f0b9900638a75017f2d6dc029: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=f382dd94583c7310bc8b3dd538e9e604f5a6ee38, stripped

$ file tyro_heap_29d1e9341f35f395475bf16aa988e29b 
tyro_heap_29d1e9341f35f395475bf16aa988e29b: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=b9cc5866c5aacc7a4c92657f5c2b14a95eae68cb, not stripped

 

Looks like a nice 32-bit executable, symbols still intact. Given the name, this has something to do with exploiting a heap bug. Best thing to do is just play with the binary.

I had a chance to try out a few of the OpenCTF challenges this year at DEFCON. After OpenCTF was over, I went to a talk given by the ShellPhish team about their Cyber Grand Challenge adventure. In it, they open sourced one part of their tool called angrop. To be clear, they are intent on opening up the rest of their tools, but for now this was the one that was ready to go. Given that there's a brand new ROP tool to play with, and I have OpenCTF challenges to look at, I decided to give it a go and take angrop for a test drive.

 

Given the name, this challenge deals with using Return Oriented Programming. In this case, the use of that term is a bit misleading since, while accurate, most people will think of pop-pop-ret style programming when they hear ROP. Anyways...

Category: Pwn Points: 200 Solves: 64 Description:

What's your hacker level?

Find out with this nifty little app at challs.campctf.ccc.ac:10118. You can also run your own instance: hacker_level

 

Here's another great example of using the format string exploiter to do your work for you. Again, it's about removing any mechanics of exploitation where possible so you can focus on the human task of understanding the vulnerability rather than the machine task of writing the format string. Let's take a peek at the challenge.