pwneasy

Easy ROP

hackerlab

Task: a 64-bit PIE binary leaks code addresses and then overflows a 0x20-byte stack buffer with fgets(..., 0x4c, ...), while print_flag() is guarded by a global byte. Solution: use the leaks to bypass PIE, set rax=1 with a ROP gadget, write al into is_print_flag, and then call print_flag to print the remote flag.

$ ls tags/ techniques/

stack_overflow pie x86_64 rop no_canary nx full_relro shstk ibt leaked_addresses

ret2winpie_bypass_via_runtime_leaksrop_register_controlglobal_byte_write

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]