https://john-jkar.github.io/myblog/tags/rop/Recent content in Rop on 4mN3s14 | CTF Player & StudentHugoen-usSun, 15 Feb 2026 06:00:00 +0000https://john-jkar.github.io/myblog/posts/rop/Sun, 15 Feb 2026 06:00:00 +0000https://john-jkar.github.io/myblog/posts/rop/<h1 id="simple-rop-alpacahack--writeup">Simple ROP Alpacahack — Writeup</h1> <p><strong>Category:</strong> Pwn<br> <strong>Difficulty:</strong> Hard<br> <strong>Goal:</strong> Call</p> <p><code>win(0xdeadbeefcafebabe, 0x1122334455667788, 0xabcdabcdabcdabcd)</code></p> <p>to spawn a shell and read <code>/flag.txt</code>.</p> <hr> <h1 id="understanding-the-binary">Understanding the Binary</h1> <p>The vulnerable code:</p> <p><code>char buffer[64]; gets(buffer);</code></p> <p><code>gets()</code> allows unlimited input → <strong>buffer overflow vulnerability</strong>.</p> <p>The <code>win()</code> function checks 3 arguments:</p> <p><code>param1 == 0xdeadbeefcafebabe param2 == 0x1122334455667788 param3 == 0xabcdabcdabcdabcd</code></p> <p>If all pass → <code>/bin/sh</code> is executed.</p> <hr> <h1 id="security-protections">Security Protections</h1> <p>From <code>checksec</code>:</p> <p><code>Arch: amd64 RELRO: Full RELRO Stack: No canary NX: Enabled PIE: Enabled SHSTK: Enabled IBT: Enabled</code></p>