pwnPromedium

rabbit_1 (rabbit in forest)

pwn_spbctf

Task: x86-64 PIE C++ shellcoding challenge that reads your shellcode into an mmap'd RW page, makes it RX and jumps to it; the flag is pre-loaded by a getFlag helper into one of 100 mmap'd singly-linked-list nodes. Solution: recover the list head from the parent frame ([rbp-8], unchanged because `call rax` does not touch rbp), walk node[0]=prev pointers, and write(1, node+8, 0x20) for the node whose 32-byte data starts with \"SPBCTF\". 88-byte newline-free shellcode assembled with keystone.

pie elf x86_64 cpp shellcode hidden_flag mmap pwn mprotect remote getflag keystone linked_list_walk rbp_relative newline_free

shellcode_injectionlinked_list_traversalrbp_relative_pointer_recoverymmap_rx_execkeystone_assembly

$ ls tags/ techniques/

pie elf x86_64 cpp shellcode hidden_flag mmap pwn mprotect remote getflag keystone linked_list_walk rbp_relative newline_free

shellcode_injectionlinked_list_traversalrbp_relative_pointer_recoverymmap_rx_execkeystone_assembly

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups