pwnmedium

ReplaceMe

hackthebox

Task: sed-like string replacement utility with read() not adding null terminator and contiguous BSS buffers. Solution: 3-pass ret2libc exploiting strlen inflation across buffer boundary, partial return address overwrite for PIE leak, GOT read for libc leak.

$ ls tags/ techniques/

stack_overflow pie ret2libc partial_overwrite pwn glibc_2.31 no_canary full_relro memcpy bss_overflow sed_parser read_no_null strlen_overflow

multi_pass_ret2libcpartial_ret_addr_overwritepie_leak_via_fputslibc_leak_via_gotbss_contiguous_strlen_inflationlocal_variable_overwrite_controlstack_alignment_tracking

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]