pwnProhard

pwn5_rw

pwn_spbctf

Task: stripped NON-PIE/NX/no-canary binary with a stack buffer overflow whose read is capped at 64 bytes — too small for a full leak+ret2libc ROP chain in one shot. Solution: forward-pivot reads — set rbp into .bss and return to main's own read+leave epilogue, pivoting rsp into the freshly-read .bss buffer to stage a longer chain across multiple reads, then GOT-leak write@libc and ret2libc system('/bin/sh').

stack_overflow stripped elf x86_64 ret2libc rop stack_pivot pwn no_pie no_canary nx got_leak remote forward_pivot_read bss_pivot libc_2_31

ret2libcgot_leakbss_stack_pivotforward_pivot_readmulti_read_rop_chaining

$ ls tags/ techniques/

stack_overflow stripped elf x86_64 ret2libc rop stack_pivot pwn no_pie no_canary nx got_leak remote forward_pivot_read bss_pivot libc_2_31

ret2libcgot_leakbss_stack_pivotforward_pivot_readmulti_read_rop_chaining

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups