Warning. This is actually an article that I begin writing on March 2019, and it never got published…

It is the [insert an arbitrary number] time I have determined to learn binary exploitation since April 2017. However I have always lost intention as the problems are much more challenging than I am capable of. I could hardly remember anything on the next time when I have determined to study again. That's an incentive for me to write blog posts - I could read them and recall what has happened, thus spending less time learning all over from zero. Of course, it would be always better if I could persist.

This is the first part of myself solving binary exploitation challenges, and I could not guaranteed there will be follow-ups.

Getting "started" in

As I remember, this is my third time solving "Start" in But it is always refreshing for me as I am so forgetful... and I have never write walkthroughs while I learn pwnables.

The primary goal for binary exploitation challenges (pwnables) is to get access to the shell of a remote server. For web challenges in CTF, this could be achieved by identifying RCE (remote code execution) vulnerabilities. For pwnables, one way would be injecting shellcodes owing to stack overflow.

To begin with start, we use GNU debugger to perform static analysis on the binary:

Using GNU debugger (gdb) for start.

As an amateur, I could not read assembly codes well. Let's annotate the code first.

The _start function annotated. But why is it handwritten?

It involves four parts:

  1. *_start+0 to *_start+12: push the current stack pointer and the return address (_exit) to the stack.
  2. *_start+14 to *_start+47: push the string "Let's start the CTF" into the stack and print it to stdout.
  3. *_start+49 to *_start+55: reads 60 bytes from stdin to the stack.
  4. *_stack+57 to *_start+60: move the stack pointer by +20 bytes and continue executing the code in the corresponding address at the stack pointer.

Visualizing the stack

Wait… why aren’t you redirected yet?

Exploiting the stack overflow vulnerability

Please get redirected now…


Well, although this is intended to be trollish today (it is the day in GMT+8), I hope this blog post will be completed some day soon.