pwnProeasy

pwn6boi

pwn_spbctf

Task: NON-PIE x86-64 binary with a stack canary reads 0x58 bytes into a 0x60 buffer, stopping exactly before the canary; a magic int gate (0xbaaaaaad) selects system(\"/bin/bash\") vs system(\"/bin/date\"). Solution: overwrite only the magic int (offset 0x44) with 0xc001d00d without touching the canary, spawning an interactive shell to cat flag.txt.

shell elf x86-64 system pwn nx no-pie canary remote overflow magic-value-overwrite state-variable

magic_value_overwritebounded_read_before_canarystate_variable_corruption

$ ls tags/ techniques/

shell elf x86-64 system pwn nx no-pie canary remote overflow magic-value-overwrite state-variable

magic_value_overwritebounded_read_before_canarystate_variable_corruption

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups