Ipzz-447 _top_ -
CTF Write‑up – “ipzz‑447”
(This write‑up assumes the challenge was hosted in a typical Jeopardy‑style CTF. All steps are reproduced on a fresh Ubuntu 22.04 VM. Replace file names/paths with the ones you receive in the actual challenge.)
- The binary is stripped, so we have no symbol names.
- It is not PIE, making address offsets stable across runs.
- NX is enabled, so we cannot inject shellcode on the stack.
- No stack canary, meaning a classic stack‑overflow is possible.
2.3 Entropy / Section Layout
$ objdump -h ipzz-447
Running the script prints the same flag we obtained manually. ipzz-447
Kaito entered through the service entrance, picking the lock with practiced ease. The hallways were hushed, smelling of expensive incense and stale champagne. He moved silently, his footsteps absorbed by the plush carpet. The binary is stripped , so we have no symbol names
Thus we need 64 + 8 = 72 filler bytes, followed by the new return address (0x4012ac). absolute addresses are static
Because the binary is not PIE, absolute addresses are static, making Path B the simplest.