forensicsProeasy

Forenser RBP

spbctf

Task: raw process stack dump (0x21000 bytes) from /proc/PID/maps region 0x7ffc1efb8000-0x7ffc1efd9000, find saved RBP of the function that returns to main. Solution: walk the x86_64 RBP linked-list chain (push rbp; mov rbp, rsp) and take the last saved RBP still pointing inside the stack region — that is main's RBP.

$ ls tags/ techniques/

x86_64 memory_dump stack_forensics rbp_chain frame_pointer pwn_adjacent

rbp_chain_walkingframe_pointer_traversalstack_dump_analysisva_range_from_filename

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[forensics][Pro]Forenser Retaddr— spbctf
[forensics][Pro]Forenser Canary— spbctf
[pwn][Pro]rbp— spbctf
[pwn][free]Getting Started— hackthebox
[pwn][Pro]stackgift— spbctf