pwnhard
Имя Профи, назови своё имя 😎 (Pro Name, Say Your Name)
hackerlab
Task: a non-PIE ELF64 binary reads 0x100 bytes into a 16-byte stack buffer, giving a classic ROP entry point but the remote runtime does not match normal glibc assumptions. Solution: leak .dynamic, recover DT_DEBUG, walk link_map to fingerprint musl/gcompat, pivot into .bss, and use musl syscall gadgets to enumerate /app and read /app/flag.txt.
$ ls tags/ techniques/
stack_overflowx86_64ropstack_pivotno_piepartial_relrono_canarynxsyscall_ropmusldynamic_linkerdt_debuglink_map
memory_leak_recondt_debug_link_map_walkremote_libc_fingerprintingbss_stack_pivotsyscall_ropgetdents64_enumeration
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Create a free account with GitHub to get started.
$ssh [email protected]