pwnProeasy

Easy ROP

hackerlab

Task: a 64-bit PIE binary leaks code addresses and then overflows a 0x20-byte stack buffer with fgets(..., 0x4c, ...), while print_flag() is guarded by a global byte. Solution: use the leaks to bypass PIE, set rax=1 with a ROP gadget, write al into is_print_flag, and then call print_flag to print the remote flag.

$ ls tags/ techniques/

stack_overflow pie x86_64 rop no_canary nx full_relro shstk ibt leaked_addresses

pie_bypass_via_runtime_leaksrop_register_controlglobal_byte_writeret2win

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]Void— hackthebox
[pwn][Pro]Getting Started— hackthebox
[pwn][Pro]Говори - и будет исполнено (ask_and_you_shall_receive)— hackerlab
[pwn][Pro]0xDiablos— hackthebox
[pwn][Pro]Hospital (Больница)— duckerz