pwnProeasy

popa-ot-ropa (Mic Check 10)

pwn_spbctf

Task: NON-PIE x86-64 ELF that dumps /proc/$PPID/maps at startup (leaking libc base) then does an unbounded gets() into a stack buffer. Solution: classic ret2libc — parse libc base from the leaked maps, overflow at offset 0x48, and use the in-binary 'pop rax; mov rdi, rax; ret' gadget plus a leading ret for movaps alignment to call system('/bin/sh').

elf x86-64 ret2libc pwn no-pie glibc-2.31 remote gets-overflow maps-leak pop-rax-rdi-gadget stack-alignment

ret2libcgets_stack_overflowlibc_base_leak_from_mapspop_rax_to_rdi_gadgetmovaps_stack_alignment

$ ls tags/ techniques/

elf x86-64 ret2libc pwn no-pie glibc-2.31 remote gets-overflow maps-leak pop-rax-rdi-gadget stack-alignment

ret2libcgets_stack_overflowlibc_base_leak_from_mapspop_rax_to_rdi_gadgetmovaps_stack_alignment

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups