# CTFZone 2022

## OneChat

A message board chat program. Someone can leave a message and can view latest message. However, a buffer overflow happened in add_message function. Since no PIE and ASLR, a ROP chain can be made.

Learned to use LibcSearcher, since the organizer didn’t provide libc version in the challenge attatchment.

EXP:

## microp

A very simple program, just read in user input by sys_read and then return. First thing come up to mind is to take control of the syscalls by controling rax, which is the length of user input. However, I have no way to modify rdi to run sys_execve.

After 2019’s instruction, it is a classic SROP challenge. We can use sys_sigreturn to trigger the signal frame and get control of all registers. Here we use sys_mprotect to modify the previlege of the program page to get shellcode execution.

EXP: