binary_demo1
is a program that resembles several of the picoCTF binary challenges.
When supplied with a correct command line argument, binary_demo1
will invoke a
shell. For real picoCTF challenges, the challenge binary will often be a setgid binary,
which causes extra privileges to come with any shell invoked from within that binary (i.e. the
privileges to read a ./flag
file). However, this demo binary is not setgid, so anything you
could do from shell that gets invoked inside of it was already in fact achievable from
shell you invoked binary_demo1
from.
binary_demo1
exercises some basic C syntax. Teaching C is beyond the scope of these
educational materials, but most picoCTF challenges require nothing more than you might
already know from AP CS Java or could pick up in a few hours with online C tutorials.
Reading the binary_demo1.c
, it's not too hard to see that the "solution" to this demo
is entering something like ./binary_demo1 this_is_the_password
on the command line.
However, the actual argument you need to pass has non-ASCII characters on it.
I myself would use the python command python -c 'print([hex((~ord(c))%256) for c in "the"])'
to check out exactly what those bitwise-complemented letters from binary_demo1.c
actually are.
Then, there are several ways to pass command-line arguments involving non-ASCII characters:
-
Bash escapes:
./binary_demo1 $'this_is_\x8b\x97\x9a_pass\x99word'
In the bash shell, passing a string like
$'string'
allows backslash escape sequences to be used in the string, such as the hex codes shown above. -
Command substitution:
./binary_demo1 "$(cat /tmp/myfile)"
In any standard shell, you can use the output of another command as a command line argument like so:
"$(command arg1 arg2 ...)"
. In the above case, we're using the contents of file/tmp/myfile
as our argument via thecat
command. (You can typeman cat
on the terminal to get more information about thecat
command). -
Execing via python, perl, ruby, etc.
If you're comfortable in a scripting language, most have some way of invoking a binary with specific args. For example, in python you could
from os import execl execl('./binary_test1','./binary_test1','this_is_\x8b\x97\x9a_pass\x99word')
Heads up: For many "exec" like functions (including in languages other than python), you'd seemingly need to pass
./binary_test1
twice: once to state where thebinary_test1
binary is, and the second time to set theargv[0]
value thatbinary_test1
will see. (Programs don't usually care what argv[0] actually is, but something still needs to be there.)
For additional information about C or the bash shell, the internet is a great resource ^_^