pwn4 rabbit_3 (shellcoding)

pwn_spbctf

Task: x86-64 PIE C++ shellcode-golf pwn — read only 63 bytes of shellcode into an RX page under strict seccomp, with the flag hidden in one of 100 mmap'd linked-list nodes reachable via head=[rbp-8]. Solution: instead of byte-budget-heavy string comparison, dump every node's 32 data bytes to stdout with a 36-byte list-walk loop (push/pop syscall setup) and grep the flag client-side.

pie elf cpp x86-64 shellcode mmap pwn mprotect remote keystone seccomp-strict prctl linked-list-walk rbp-relative shellcode-golf 63-byte-limit dump-all

shellcode_golflinked_list_walkdump_all_filter_client_sidepush_pop_syscall_setuprbp_relative_headhand_computed_jnz_rel8

$ ls tags/ techniques/

pie elf cpp x86-64 shellcode mmap pwn mprotect remote keystone seccomp-strict prctl linked-list-walk rbp-relative shellcode-golf 63-byte-limit dump-all

shellcode_golflinked_list_walkdump_all_filter_client_sidepush_pop_syscall_setuprbp_relative_headhand_computed_jnz_rel8

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn4 rabbit_2 (shellcoding)— pwn_spbctf
[pwn][Pro]rabbit_1 (rabbit in forest)— pwn_spbctf
[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf
[pwn][Pro]pwn4_call_fcn_small— pwn_spbctf
[pwn][Pro]pwn4 / call_fcn— pwn_spbctf