lordtet/www-lordnet-sh
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

OTW Behemoth Retrospective

Browse source
This commit is contained in:
lordtet 2026-03-30 19:18:51 -04:00
parent 64aa87fe9d
commit 4a5d71bc14
1 changed files with 74 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
src/blog/posts/OTW_behemoth.md Normal file
View file

@ -0,0 +1,74 @@
---
permalink: false
title: "Over The Wire - Behemoth retrospective"
date: 2026-03-30
tags:
- OverTheWire
- CTF
- pwn
---
## Prologue
_push ebp; mov esp, ebp; sub esp, 4_
### Context
A long time ago now, I did a bunch of these OverTheWire wargames. Back then, it was as an introduction to cybersecurity, when I was trying to transition to it in college. Now, with my feet wet with a little network security experience, I find myself missing that. There's something about gaining control over something by out-witting the architecture that is so gratifying. So, I decided to come back and tackle it again. If it's in the cards, maybe this marks a career shift for me :o). Who knows.
### OTW Policy, "Why this post?"
OverTheWire has a no-spoiler policy. Granted, they aren't going to hunt me down, and there are already tons of writeups online. But I believe in the mission and what it stands for - so even though I'd love to show off my work, I'm going to abstain. That's where this blog post comes in.
Instead of posting my solution, I'm simply going to post a retrospective at the end about what I learned. For future CTFs, this may change to be more granular, but Behemoth is easy enough. Got it done over a couple of days.
## Actually attacking the challenge
### Goals
So why return to this one in particular? I didn't go back to anything easier, nor did I start with anything particularly difficult.
To me, I wanted to build real skill. I believe this requires being challenged _just enough_ at my skill level, and doing the rote work. Much like practicing problems in math, you want to have to do it the "right" way enough to understand it. So I tackled these problems with a different solution to the same thing. Sometimes I wrote my own shellcode. Sometimes I used pwntools' pre-canned shellcode. Sometimes I used shell-storm shellcodes. For every "fundamental", I tried to do it in multiple ways.
Additionally, when I did these forever ago, I was, for lack of a better word, a total skid. I was really just manually shifting payloads around with pre-canned shellcode straight off of shell-storm. I wasn't REALLY getting intimate with the internals, I was just using them as a convenient toy. This time, I do a lot more shellcoding, spend a lot of time in the debugger, and use more tools. In particular, my tool-goals are to use more pwntools for scripting, and get comfortable on radare2 for my analysis.
### Results
And get comfortable I did! I am now confident I can bring these tools over to the next challenge and begin to catch up to where I was when I left off forever ago, but correctly this time. So, let's see, did I meet my goals?
- Radare2
Way more comfortable here. Had a few super productive assembly markup sessions, and got comfortable navigating it. Not a power user just yet, haven't even had to harness the scripting. But I can do the basics.
- pwntools
Also had a great time learning more about using this library. One particular challenge was a simple format string bug, and pwntools' fmt library was a very fun way to generate the payload for the solve. I'm also straight ADDICTED to shellcoding with assembly within a string, and having it assemble it at runtime! In my previous shellcode excursions, I'd really have to assemble a binary myself and extract the code from the resulting executable. This was WAY more streamlined.
### Epilogue
_mov esp, ebp; pop ebp; ret_
I think this was a super succesful traceback to a set of easier challenges to build some stronger fundamentals, and I'm looking forward to doing more. In the interest of not leaving this post without any real code, have a pwntools excerpt of shellcode I made that simply does `setreuid(0x32CC)` and `execve("/bin/sh", NULL, NULL)`.
```python
#0xf7f41de8 in the shellcode is the location of /bin/sh in libc. Waste not want not!
shellcode = '''
sub esp,0x40
xor eax, eax
xor ebx, ebx
xor ecx, ecx
mov al, 0x46
mov bl, 0xCC
mov bh, 0x32
mov cl, 0xCC
mov ch, 0x32
int 0x80
xor eax,eax
xor edx, edx
xor ecx, ecx
mov ebx, 0xf7f41de8
mov al, 0xB
int 0x80
'''
```