pwnhard

Arms Roped

hackthebox

Task: ARM 32-bit binary exploitation under QEMU user-mode with PIE, Canary, and NX enabled. Solution: Multi-stage ROP chain — leak canary via partial overwrite, leak PIE base from saved LR, use ARM ret2csu to leak libc via GOT, then ret2libc with system("/bin/sh").

$ ls tags/ techniques/

stack_overflow rop ret2libc pwn arm32 canary_leak pie_leak ret2csu qemu_user aslr memcpy scanf_m got_leak libc_csu_init

canary_leak_partial_overwritepie_leak_saved_lrarm_ret2csulibc_leak_via_got_putsret2libc_system_binshmulti_stage_ropbyte_by_byte_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]