Binary Exploitation Complete

Robert Jamison

 | 

01 Aug 2021

Back in Late May, I signed up for a college class against all of my peers’ recommendations. This class had a reputation for being one of the hardest, self-taught, and competitive classes at Georgia Tech. As of today, all my exploits and writeups have been approved, and I’ve completed my training in the compressed course, CS 6265 - “Binary Capture The Flag”.

Completing this course is my most proud accomplishment at GA Tech. Hopefully, my friends will still want to hang out after months of blowing them off. Here’s just a few of the things I’ve been working on:

• SSHing into labs until my fingers callous
• Re-learning bitwise Python
• Understanding how GDB works
• Becoming an expert in pwn-dbg
• Booting up Ghidra every five seconds
• Learning Assembly (I can talk to machines now).
• Creating custom shellcode in 32-bit and 64-bit (and polyglots too)
• Discovering the joys of pwntools
• Bypassing canaries, stack protections, DEP, and ASLR (because why not)
• Using snippets of your own binaries against you (Return Oriented Programming)
• Using side-channel attacks to steal your “secure” credentials

This whole process was like being swept up in a tornado. Half the time, all I could think about was how to solve the next problem – and I solved a lot. I’ve exploited over 46 binaries in the last two months, all of which I gained root level access to. Even so, I’m only in the top 50% of my class, which doesn’t allow for much in the form of bargaining rights.

With all this said, I’ve learned a lot from our instructor, Taesoo Kim, and almost everything from Intel’s thousand-page manual on i386 architectures.