Good luck on your interview...
nc mc.ax 31081
Downloads **interview-opportunity libc.so.6**
This challenge gives us an ELF binary and a libc file. Right now we can already assume that this is a ret2libc challenge.
If you’ve ever followed a basic buffer overflow tutorial, you know that sometimes it’s as easy as overflowing some shellcode onto the stack and jumping to it. In this challenge, there is some protection that marks the memory as non-executable, which means that shellcode won’t execute here. If we can’t directly execute injected code in memory, where do we go next?
We can go to a place in memory where we know code exists! It’s libc, the C standard library!
Libc is linked to our program, lives in memory and has some useful calls we could return to (ret2libc), such as system to execute commands in the shell!
As always, we start by checking the protections on the binary.
$ checksec ./interview-opportunity
[*] ./interview-opportunity
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Unsurprisingly, NX is enabled, which means that memory is not executable. This confirms that we can’t just inject shellcode and expect it to execute.
Additionally, we can run the strings command to see if there are any interesting strings, but that doesn’t seem to be the case.
The next thing I do is execute the binary.
$ chmod +x ./interview-opportunity
$ ./interview-opportunity
Thank you for you interest in applying to DiceGang. We need great pwners like you to continue our traditions and competition against perfect blue.
So tell us. Why should you join DiceGang?
asd
Hello:
asd
@
There’s no way I’ll pass this interview, but I’m just here for a shell. Now it is debug time.
Let’s look at it in Ghidra and see if it can give us some pseudocode. When inspecting the main function, it spits out this:
Can you spot the issue?