pwnmedium

По секрету всему свету

hackerlab

Task: WinRAR SFX containing a stripped ELF64 ncurses note-taking app with fake 'NOP encryption' (plaintext storage); read_note() has a buffer overflow where password[79] overwrites an adjacent flag variable. Solution: send 80-char payload ending with '}' to trigger system('cat ' + password), inject shell commands via semicolons to search the filesystem for the flag.

$ ls tags/ techniques/

command_injection reverse_engineering buffer_overflow x86_64 stripped_binary system_call ncurses sfx_archive nop_encryption

stack_variable_overwritesfx_archive_unpackingghidra_decompilationshell_metacharacter_injection_via_systemncurses_protocol_over_tcp

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]