Binary Exploitation

ISH(1) (200 pts)

Description

Shell(a.k.a sh) is a text-based interface where users can type commands to interact with the operating system. I'm trying to implement a shell using ISA, I call it ISH.

Note: This challenge is the first part of the ISH fullchain, execute flag1 file in ish to get the flag.

Note: ISH (1), ISH (2) and ISH (3) share the same environment, and it is recommended to solve the ISH fullchain challenges in order.

Note: Here is the and if you need more references.

• Challenge:

• Playground:

Solution

There is a buffer overflow on URL in curl command. With the overflow we can overwrite the filename for the binary that will be executed by command game. So the idea is to find how to make the curl still valid with the overflow and then overwrite the filename with flag1. Below is my payload

curl g.co#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaflag1
game

Flag: