pwn6www / storage

pwn_spbctf

Task: NON-PIE x86-64 binary with a menu exposing an arbitrary read (printf %s at an attacker address) and an arbitrary 8-byte write-what-where, plus a controlled puts(buf) call. Solution: leak libc from an already-resolved GOT entry, overwrite puts@GOT with system, then trigger puts(\"/bin/sh\") = system(\"/bin/sh\") for a shell. Key pitfall: leaking an UNRESOLVED GOT slot (lazy binding) gives a wrong base.

elf x86-64 system pwn got-leak no-pie got-overwrite partial-relro arbitrary-read write-what-where remote libc-2.31 www puts-to-system lazy-binding unresolved-got-pitfall

got_leakwrite_what_wherearbitrary_read_via_printf_slibc_base_calculationgot_overwrite_puts_to_systemcontrolled_rdi_call

$ ls tags/ techniques/

elf x86-64 system pwn got-leak no-pie got-overwrite partial-relro arbitrary-read write-what-where remote libc-2.31 www puts-to-system lazy-binding unresolved-got-pitfall

got_leakwrite_what_wherearbitrary_read_via_printf_slibc_base_calculationgot_overwrite_puts_to_systemcontrolled_rdi_call

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]word storage— pwn_spbctf
[pwn][Pro]pwn5_rhook— pwn_spbctf
[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]pwn5_exit— pwn_spbctf
[pwn][Pro]ints (ret2libc 10)— pwn_spbctf