pwn4_encoder

pwn_spbctf

Task: NON-PIE x86-64 'EnCoder' pwn that hides a stack buffer overflow behind a strlen length gate; the XOR-random encoding output and clock() timing are deliberate red herrings. Solution: bypass the strlen(buf)>0x10 check with a leading NUL byte (read() still copies the full 1024-byte payload), then ret2plt ROP an open/read/puts chain to dump /home/task/flag.txt — brute-forcing the file descriptor (open returns fd 5 under socat, not 3).

elf x86-64 rop pwn nx stack-overflow no-pie remote fd-enumeration strlen-gate-bypass leading-nul ret2plt open-read-puts socat red-herring proc-self-maps

leading_nul_strlen_bypassret2plt_ropopen_read_puts_chainfd_brute_forceproc_self_maps_recon

$ ls tags/ techniques/

elf x86-64 rop pwn nx stack-overflow no-pie remote fd-enumeration strlen-gate-bypass leading-nul ret2plt open-read-puts socat red-herring proc-self-maps

leading_nul_strlen_bypassret2plt_ropopen_read_puts_chainfd_brute_forceproc_self_maps_recon

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn4 rop_rop— pwn_spbctf
[pwn][Pro]characteristic— pwn_spbctf
[pwn][Pro]pwn2_sequential— pwn_spbctf
[pwn][Pro]pwn4 call_fcn_rop— pwn_spbctf
[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf