pwnPromedium

pwn4 call_fcn_rop

pwn_spbctf

Task: NON-PIE 64-bit ELF with NX and no canary; a stack overflow in logic() and a win_fcn that prints the flag only if called with six exact register args. Solution: parse the libc base from the /proc/self/maps dump leaked at startup, then ret2libc system('/bin/sh') (with movaps stack alignment) instead of satisfying the 6-arg check, and read the real XOR-encoded flag from the server's /task binary .data.

elf x86-64 ret2libc rop pwn nx no-pie remote stack-alignment movaps proc-self-maps-leak libc-2.31 win-fcn-args flag-from-binary-data xor-decode

ret2libcrop_chainproc_self_maps_libc_leakstack_alignment_movapsflag_extraction_from_server_binaryxor_decode

$ ls tags/ techniques/

elf x86-64 ret2libc rop pwn nx no-pie remote stack-alignment movaps proc-self-maps-leak libc-2.31 win-fcn-args flag-from-binary-data xor-decode

ret2libcrop_chainproc_self_maps_libc_leakstack_alignment_movapsflag_extraction_from_server_binaryxor_decode

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups