Swix

Securinets-Quals-CTF-2023   PWN  

题目作者: 未知

一　　血: ‌‌‌‌‌admin889

一血奖励: 0金币

解　　决: 1

提　　示:

Notes:

• Source code was given to help with debugging.

• Exploiting the dlresolve function to call system("sh")

• System has access to environment variables (PATH) therefore, calling system("sh") would work perfectly fine.
• Puts uses heap before printing a message therefore, by leaking a heap address, you can calc the address of "I'm safe! I wish" stored in heap & should be able to use the last "sh" for the system call.
• The dlresolve payload must be crafted manually in the given structures. The addresses are aligned.
• Use magicMove to call the dlresolve function.

Unintended by Robbert1978 (Discord tag)

One of the unintended solutions caught my interest, which is this one. The unintended solution consists of creating a 1 argument function call primitive. That's one creative way to do it.

Link for writeup/solver & blog: Link

附　　件: 下载

去做题