pwnhard

holy_cit

miptctf

Task: exploit a CRUD service written in HolyC (TempleOS language) compiled with hcc for Linux, featuring a custom allocator wrapping glibc malloc with an 8-byte size header. Solution: exploit _REALLOC bug that copies old_size instead of min(old_size, new_size) to overflow 8 bytes into adjacent chunks, forge HolyC size headers to create fake unsorted bin chunks for libc leak, overlapping chunks for heap leak, then tcache poisoning with safe-linking bypass for arbitrary write and ROP chain execution.

$ ls tags/ techniques/

pie heap pwn glibc_2.39 tcache_poisoning safe_linking_bypass holyc custom_allocator realloc_overflow size_forgery unsorted_bin_leak overlapping_chunks

tcache_poisoningsafe_linking_bypassrop_chainunsorted_bin_leakholyc_size_header_forgeryrealloc_overflowheap_leak_via_overlapstack_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]