pwnmedium

TicTacToed

hackthebox

Task: a Rust game binary hid a second-stage C2 interface behind a specific 5x5 tic-tac-toe pattern and access code. Solution: re-download the latest archive, recover the correct embedded ELF offsets, leak PIE with the H option, then use a use-after-free to overwrite a callback with getSecret and print the real remote flag.

$ ls tags/ techniques/

pie use_after_free function_pointer tcache pwn rust hidden_interface binary_extraction

hidden_pattern_unlockpie_leak_via_function_pointeruse_after_free_callback_hijacktcache_reuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]