pwnProeasy

pwn5_www1

pwn_spbctf

Task: non-PIE x86-64 'mic check' pwn exposing a raw write-what-where primitive (*(qword*)addr = value, both attacker-controlled) where a secret global gates the /flag print. Solution: overwrite the fixed secret global at 0x40408c with 0x10203040, minding the scanf formats (%10d signed decimal for value, %8x hex for address).

elf x86-64 pwn no-pie partial-relro write-what-where remote www global-overwrite scanf-format mic-check

global_variable_overwritewrite_what_wherescanf_format_awareness

$ ls tags/ techniques/

elf x86-64 pwn no-pie partial-relro write-what-where remote www global-overwrite scanf-format mic-check

global_variable_overwritewrite_what_wherescanf_format_awareness

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups