pwnmedium

По секрету всему свету (Telling the Whole World a Secret)

hackerlab

Task: ncurses note-taking app (SNFE.elf) in SFX archive with fake 'NOP' encryption; wgetnstr reads 80 chars into buffer with only 79 bytes before a gate variable. Solution: overflow the 80th byte to '}' (0x7d) to trigger system('cat ' + input), inject shell commands to find flag in /tmp/.root_backup/.root_lock.

$ ls tags/ techniques/

command_injection docker buffer_overflow pie x86_64 off_by_one stripped_binary system_call ncurses sfx_archive

sfx_extractionfilesystem_enumerationcommand_injection_via_systemsingle_byte_overflowncurses_application_mode_keys

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]