pwnPromedium

pwn9_mc4 — Mic Check: leak and pwn!

spbctf

Task: menu-driven glibc 2.31 heap allocator where delete() doesn't NULL the slot, making print and edit usable on freed chunks. Solution: unsorted-bin leak via a chunk > tcache max and a guard to prevent top-consolidation; tcache poisoning by editing the freed chunk's fd to __free_hook; write system into __free_hook; free('/bin/sh') → shell.

$ ls tags/ techniques/

heap uaf tcache-poisoning __free_hook unsorted-bin-leak glibc-2.31

unsorted_bin_leakfree_hook_overwritesystem_binshtcache_poisoning_no_safe_linking

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn9_mc5 — Mic Check: leak and pwn 2!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf
[pwn][Pro]pwn8_logger — logger_easy!(not) — UAF/alias + tcache poison— spbctf
[pwn][free]Portaloo— hackthebox
[pwn][free]Funkynator— hackthebox