pwnPromedium

login

volgactf

Task: 32-bit static ELF assembly binary with stack buffer overflow (64-byte buffer, 128-byte read) and hidden gadgets in dead code. Solution: Two-stage exploit using iret to switch from 32-bit compat to 64-bit long mode, then SROP (Sigreturn-Oriented Programming) to set all registers and execve(\"/bin/sh\").

$ ls tags/ techniques/

buffer_overflow stack_overflow x86_64 rop srop sigreturn syscall static_binary x86 assembly iret 32_to_64_bit hidden_gadgets

stack_buffer_overflowstack_pivothidden_gadget_discoveryiret_mode_switchsrop_sigreturn_oriented_programmingexecve_via_sigreturn_frametwo_stage_payload

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][free]0xDiablos— hackthebox
[pwn][Pro]Вход не для всех (Entry is not for everyone)— hackerlab
[pwn][Pro]Easy ROP— hackerlab
[pwn][free]Getting Started— hackthebox
[pwn][free]Void— hackthebox