Cyber Training Guide
IronForgeCyberHow-To: Radare2How-To: GDB
  • Cyber Training Guide
  • 0x0: Introduction
    • git-good
    • root-1
    • root-2
    • intro
  • Binary Exploitation (pwn)
    • What is Binary Exploitation?
    • 0x1: ret2win
      • win32
      • win64
      • args
    • 0x2: shellcodes
      • location
      • shell
      • constrained
    • 0x3: format strings
      • format
      • chase
      • bbpwn
    • 0x4: stack canaries
      • canary
      • findme
    • 0x5: ROP
      • rop2win
      • split
      • callme
      • write4
      • badchars
    • 0x6: PIE
      • gimme
      • leak32
      • leak64
    • 0x7: ASLR
      • groundzero
      • stepup
      • ret2plt
    • 0x8: GOT overwrites
      • gotem
      • gotem64
  • Programming
    • What is the Programming Section?
    • 0x9: Data Serialization
      • LinkedOps
      • Tree
      • TeLeVision
    • 0xA: Programming
      • Calorie Counting
      • Hash
      • Rock Paper Scissors
      • Watch the Register
      • Supply Stacks
      • Rope Bridge
      • Mountain Climbers
  • Reverse Engineering (RE)
    • What is Reverse Engineering?
    • 0xB: Ghidra
      • hardcode
      • undo
      • snake
  • Toolkit
    • Using Pwntools
      • Establishing Connection
      • Context
      • Sending/Receiving Data
      • The ELF Class
    • My Workflow
      • Tmux
      • Vim
Powered by GitBook
On this page

Was this helpful?

  1. Binary Exploitation (pwn)

What is Binary Exploitation?

Binary Exploitation, commonly known as binex or pwn, is the process of crafting inputs (payloads) that cause a program to behave in a way the original programmer did not intend.

In binary exploitation challenges, we are provided a source binary, an executable file, and it's our job to craft a payload to achieve a desired result. In the case of CTF competitions, this is usually to print a "flag", a string of text that serves as the solution to the challenge.

Flags are usually stored in a flag.txt file in the same directory as the binary. The format of the flag depends on the creator of the challenge; in our case, we will use:

flag{this_is_a_flag}

There are three common scenarios that you will find in CTF competitions:

  1. The binary has a function called win(), or something similar, that contains instructions to print the flag.

  2. The binary loads the flag into memory, and we must leak it.

  3. The flag is never loaded into memory, nor is it ever read. In this instance, we aim to obtain a shell on the remote server and read the file ourselves.

One of the most challenging parts of binary exploitation is determining what vulnerability the binary has, which directly corresponds to the exploit technique we're going to use.

The chapters of these lecture notes are distinguished by the security measure (or the opposite, the vulnerability) that the binary has. This way, by first checking the security measures of the binary, we'll have a firm idea of our attack vector.

Debugger Notes

The notes use gdb as the primary decompiler. All the notes are based on gdb. However, I am currently migrating the use of radare2 output into the notes. To not make the notes more confusing, I will continue to reference the gdb output with respect to addresses and offsets. I am doing my best to include command names for both within the notes themselves.

PreviousintroNext0x1: ret2win

Last updated 1 year ago

Was this helpful?