Write Me Not Reborn

pwn_spbctf

Task: NON-PIE x86-64 pwn binary whose get_flag runs strstr(attacker_pointer, \"root\") and prints /flag on a match. Solution: point the haystack pointer at the in-binary \"root\" constant (relocated to 0x402067 in this 'Reborn' variant) so strstr matches and print_flag dumps the flag.

elf x86-64 beginner pwn no-pie remote logic-bypass strstr rodata-constant

strstr_attacker_controlled_pointerrodata_constant_reuselogic_flaw_bypass

$ ls tags/ techniques/

elf x86-64 beginner pwn no-pie remote logic-bypass strstr rodata-constant

strstr_attacker_controlled_pointerrodata_constant_reuselogic_flaw_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]Write Me Not— pwn_spbctf
[pwn][Pro]fptr Reborn— spbctf
[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf
[pwn][Pro]rbp2— pwn_spbctf