Posts

Showing posts from December, 2024

[PWN-heap] SunshineCTF 2024 - "secure_flag_terminal" Challenge

Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) let's try to exploit a heap challenge. Reverse now we have the following options to do and we have a leak for "rand" function from libc and we have an opened flag with a fd number already stored in the heap and there is a bug in the write (option 2) which is an overflow, we can use it to modify the chunks metadata (note we are dealing with libc version 2.27) we have a libc leak and a heap overflow vulnerability (we just have 4 chunks to allocate at a time), what we will try to do is corrupt the metadata of chunks with the overflow to: read the dup_fd -> read stack address from libc -> overwrite the RIP Exploit first, i did a setup in my script to communicate with the binary in a simple way we have standards to leak an address from the heap or allocate an exact address and read from it using the overflow, so we will start with leaking the heap address in the next block, we w...