pwnmedium

Closed Party

hackerlab

Task: stripped PIE ELF64 with Full RELRO, NX, no canary exposes a format string in the name prompt and a 16-byte buffer overflow in the answer prompt; .data contains a fake flag with C0DEBY. Solution: leak the return address at sequential %p position 47 to recover PIE base, then overflow the answer buffer to redirect execution to the flag-printing code at PIE_base+0x14ec.

$ ls tags/ techniques/

buffer_overflow pie stripped x86_64 format_string no_canary nx full_relro fake_flag

pie_base_recoveryret_to_winsequential_format_string_leakbuffer_overflow_ret_overwrite

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]