PicoCTF 2023 pwn/horsetrack - Heap Exploitation Challenge
Рет қаралды 2,248
Күн бұрын
@ani-zxk Ай бұрын
all writeup authors should aspire to reach this level of quality.
@benoitsevens359 5 ай бұрын
Thanks for the great explanation. You actually don't need that libc leak (only the heap leak), since system is in the plt of the (non-PIE) binary, so you can call system via the binary, instead of directly via libc.
@SloppyJoePirates 4 ай бұрын
D'oh, thanks! Would have made the chal a bit simpler =P Rewatching the video, you can see my cursor pass over the system got/plt entry multiple times... sigh
@局外祥神浪跡天涯 Жыл бұрын
Nice video writeup, thx
@SloppyJoePirates Жыл бұрын
Someone (Voltara) reached out, and they think the issue with remote was because the remote server was using socat, and it's treating 0x7f as backspace characters. So because I was using the libc.system (0x7f....) to overwrite the G.O.T. instead of the plt.system (0x40....), the overwrite of the G.O.T. was messed up. More info: ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat It looks like you could run the exploit multiple times until you got a 0x7e... so, maybe this would have worked!
@reginiumepicmusic 7 ай бұрын
Great content. It's very useful. The solution I've found to the problem with the byte 0x7f with socat is to prefix the byte 0x16 to all conflicting bytes like 0x7f. I wanted to ask you if you know why when I decompile the program with Ghidra, it's unable to decompile the part of the switch-case and leaves a large portion of the program undecompile. Nothing similar to the decompilation you show. This has happened to me several times. Best regards. Thank you for this high-quality content.
@SloppyJoePirates 7 ай бұрын
Hey @@reginiumepicmusic ! Hmm, sorry not too sure, haven't seen that before. I'm guessing you already tried updating to the latest version to see if that fixes it?
@reginiumepicmusic 7 ай бұрын
@@SloppyJoePirates Thanks for you reply. Yes. I did it. I updated and I reinstalled it but still the same. I can't understand it. Luckily, one day I will find the answer.
@redfire5887 6 ай бұрын
I have been struggling with the same problem! If you happen to find a solution I would Greatly appreciate your help @@reginiumepicmusic
@SB_3.1415 Жыл бұрын
how is this thing only 300 points?!
@SloppyJoePirates Жыл бұрын
haha, maybe the pico team just has a lot of faith in us
CryptoCat
Рет қаралды 3,5 М.
Sergio Outdoors
Рет қаралды 74 МЛН
SloppyJoePirates CTF Writeups
Рет қаралды 1,1 М.