pwn4_win

pwn_spbctf

Task: 64-bit PIE ELF with executable stack reads exactly 12 bytes onto the stack and calls them; a win() function reading /flag exists but its PIE address is unknown. Solution: write tiny shellcode that reads the saved return address already on the stack (base+0x12af), subtracts the constant PIE-invariant delta 0xea to compute win() (base+0x11c5), and jumps there without popping to keep rsp 16-byte aligned and avoid a movaps fault in fopen.

pie elf x86-64 shellcode pwn remote stack-alignment movaps executable-stack tiny-shellcode self-relative-jump saved-rip

shellcode_jumpsaved_rip_self_relative_jumppie_relative_offsettiny_shellcodestack_alignment_preservation

$ ls tags/ techniques/

pie elf x86-64 shellcode pwn remote stack-alignment movaps executable-stack tiny-shellcode self-relative-jump saved-rip

shellcode_jumpsaved_rip_self_relative_jumppie_relative_offsettiny_shellcodestack_alignment_preservation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[pwn][Pro]rbp2— pwn_spbctf
[pwn][Pro]pwn4_call_fcn_small— pwn_spbctf
[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf
[pwn][Pro]pwn4 call_fcn_rop— pwn_spbctf