PicoCTF 2017 – A Thing Called A Stack #ctf #picoctf #appsec #infosec #reverseengineering

Another day, another challenge.

In today’s blog post we’re going to solve the “A Thing Called A Stack” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge, we see the following:


OK, so we’re given a file, and we need to determine the difference between the value of esp at the end of the code, and the location of the saved return address.

Looking at the hints we see the following:


We’ve encountered two different questions. Where is the return address saved, and what commands actually affect the stack.

DISCLAIMER: I haven’t worked with assembly in probably 8 years. So, what did I do? Go to YouTube.

Entering – “Assembly tutorial” I found a GREAT crash course on explaining assembly.

I have linked the video here.

Opening the file (Notepad++ is great!)

We see the following:


Using the YouTube tutorial, let’s decode the assembly code.

First we’re pushing the ebp (base pointer) onto the stack.

Next, we move the esp (stack pointer) to be at the same location to the base pointer.

Next, we push edi, esi, and ebx onto the stack. Note these instructions don’t change the stack. This solves question #2 in the hints section.

Next, we add 180 (0xb4 hex) to the stack to hold local variables.

Next, we’re going to store the local variable x = 0, to address 180 + 4 = 184

Next, we’re going to store the local variable y = 1,  to address 184 + 4 = 188

Next, we’re going to store the local variable z = 2, to address 188 + 4 = 192

Next, we’re going to store the local variable a = 3, to address 192 + 4 = 196

So now the esp (stack pointer) is now at 196.

Let’s convert 196 to hexadecimal.

Doing this we get the following: 0xc4

Entering this into the challenge, we see that solved the challenge and acquired 60 points!



I’ll start this post by being truthful… I honestly forgot about this blog post. At the time I was an application developer looking to transfer into the Information Security field. This was about 5 years ago. So where am I today? I’m currently in the Information Security field as an Application Security Tester working on a DevOps pipeline. As the tagline of this blog states I still want to become a penetration tester.

You, the reader might be wondering – why? I look at penetration testing as a game (I’m a gamer at heart). I have this console, and I know what I need to do (gain r00t), but the process of doing it is left up to the penetration tester.

I still love web application penetration testing – but I would also love to get into mobile penetration testing since EVERYONE has a mobile phone.

So… how do I want to revamp this site? I want to show my skills. I will start with showing my solutions to vulnerable virtual machines. My first would be the OWASP Hackademic Challenge. This challenge happened about 4 years ago, but each challenge illustrates the OWASP Top Ten, and I think this will be a good introduction to show how an application developer is STILL making the transition to a penetration tester.  🙂



I guess I should get the formalities out of the way.

I started this blog to discuss my journey of transitioning over the Information Security field. I see my end goal as becoming a Penetration Tester. At this time, I have the education (Masters in Computer Science, graduate certificate in Information Security and Privacy) but even with the education, I do not have the practical knowledge at this time (that’s changing though).

Now to begin the formalities:

I’ve been trying to enter the Information Security field for the past 8 years. I can remember it like yesterday how I became interested in the topic. I stumbled into a Yahoo! Group post on Cryptography. I remember spending 2 hours looking at all the posts and becoming intrigued on how messages were scrambled and to the naked (untrained) eye looked like jibberish. At that time I said, “I want to do cryptography.” After doing more research, I realized that while cryptography is interesting the field is narrow. I wanted my career to give me options, I didn’t want to do the same thing everyday. Next, I decided that I wanted to look at authentication protocols after reading Michelle Brown’s speech to Congress about Identity Theft. Again, after doing more research into authentication protocols I had the same problem as Cryptography, the field was narrow.

Before my Computer Forensics final (May 2011), I was talking with one of my classmates, where he brought up Penetration Testing. I was skeptical about the field because I thought it was going to be like the last two I researched (cryptography and authentication protocols), but as I started doing more research I found myself to be even more intrigued. The field of penetration testing seemed to fit me perfectly. The field is not so narrow, meaning that if I wanted to change my scope of penetration testing it wouldn’t be a problem since there are many flavors of the field.

What I see this blog becoming:

My plan for the next couple of posts will be discussing  tools I am playing with, would like to play with, and other general topics that deal with information security/penetration testing. By all means I would like this to be interactive. If anyone knows of tools/certifications that I need to successfully transition over to the field, please let me know.

Thanks. (o: