pwnmedium

They

hackerlab

Task: 64-bit login service split between a main ELF and `libanswer.so`; after valid credentials, `answer_f()` reads 145 bytes into a 32-byte stack buffer. Solution: use a short ROP chain in the non-PIE main binary to set the gate byte to 1, rewrite `ls` to `sh`, and fall back into the built-in `jmp()` path to execute `system(\"sh\")`.

$ ls tags/ techniques/

elf64 x86_64 rop shared_library no_pie partial_relro nx stack_buffer_overflow credential_recovery system_reuse

stack_buffer_overflowcredential_recovery_via_stringsrop_without_libc_leakwritable_memory_patchinternal_command_path_reuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]