Binary Exploitation on 4mN3s14 | CTF Player & Studenthttps://john-jkar.github.io/myblog/tags/binary-exploitation/Recent content in Binary Exploitation on 4mN3s14 | CTF Player & StudentHugoen-usWed, 18 Feb 2026 06:00:00 +0000 Disappeared (Daily Alpacahack) Writeuphttps://john-jkar.github.io/myblog/posts/diappeared/Wed, 18 Feb 2026 06:00:00 +0000https://john-jkar.github.io/myblog/posts/diappeared/<h1 id="disappeared--daily-alpacahack-writeup">Disappeared — Daily Alpacahack Writeup</h1> <p><strong>Category:</strong> Pwn · <strong>Difficulty:</strong> Medium ·</p> <hr> <h2 id="overview">Overview</h2> <p>We&rsquo;re given source code and a netcat address. The code looks safe at first glance — there&rsquo;s a bounds check on the array index before any write. The trick is in the compile command:</p> <pre tabindex="0"><code>gcc -DNDEBUG -o chal main.c -no-pie </code></pre><p>Two flags matter: <code>-DNDEBUG</code> and <code>-no-pie</code>.</p> <hr> <h2 id="the-vulnerability">The Vulnerability</h2> <h3 id="-dndebug-silently-deletes-assert"><code>-DNDEBUG</code> silently deletes <code>assert()</code></h3> <p>The C standard specifies that when <code>NDEBUG</code> is defined, every <code>assert()</code> call is <strong>completely removed by the preprocessor</strong> — not weakened, not skipped at runtime. Deleted.</p>Simple ROP Writeuphttps://john-jkar.github.io/myblog/posts/rop/Sun, 15 Feb 2026 06:00:00 +0000https://john-jkar.github.io/myblog/posts/rop/<h1 id="simple-rop-alpacahack--writeup">Simple ROP Alpacahack — Writeup</h1> <p><strong>Category:</strong> Pwn<br> <strong>Difficulty:</strong> Hard<br> <strong>Goal:</strong> Call</p> <p><code>win(0xdeadbeefcafebabe, 0x1122334455667788, 0xabcdabcdabcdabcd)</code></p> <p>to spawn a shell and read <code>/flag.txt</code>.</p> <hr> <h1 id="understanding-the-binary">Understanding the Binary</h1> <p>The vulnerable code:</p> <p><code>char buffer[64]; gets(buffer);</code></p> <p><code>gets()</code> allows unlimited input → <strong>buffer overflow vulnerability</strong>.</p> <p>The <code>win()</code> function checks 3 arguments:</p> <p><code>param1 == 0xdeadbeefcafebabe param2 == 0x1122334455667788 param3 == 0xabcdabcdabcdabcd</code></p> <p>If all pass → <code>/bin/sh</code> is executed.</p> <hr> <h1 id="security-protections">Security Protections</h1> <p>From <code>checksec</code>:</p> <p><code>Arch: amd64 RELRO: Full RELRO Stack: No canary NX: Enabled PIE: Enabled SHSTK: Enabled IBT: Enabled</code></p>