pwnmedium

ByteCrusher

dicectf_2026

Task: PIE binary with 16 trial calls to crush function and gets() in feedback. Solution: Use controlled rate parameter for OOB read to leak canary and PIE base byte-by-byte, then stack overflow via gets() for ret2win to admin_portal().

$ ls tags/ techniques/

buffer_overflow pie oob_read gets x86_64 pwn full_relro pie_leak stack_canary_leak

ret2winbyte_by_byte_stack_leak_via_oob_readcanary_leak_via_crush_ratepie_leak_via_return_addressgets_stack_overflow

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]