Writeups

Download the binary files here Foreword This was a semi-normal heap challenge, but it was my first time exploiting a heap vulnerability so there was a lot of trial-and-error to understand how the heap works. Most of this solve is intended, with two small exceptions that I’ll make note of when they come up. Overall, I would say this was a good challenge that was quite difficult (but solvable) for me; it took me a total of ~14 hours, but a lot of that was messing around with things and being quite inefficient (I told you it was my first heap challenge). ...

Download the binary here My go-to process for binary exploitation (pwn) challenges is: Check Security (checksec or the file command) Dogbolt / Ghidra pwntools (see above link) Step 1: Security The output of checksec was: Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: b'$ORIGIN' SHSTK: Enabled IBT: Enabled Stripped: No The critical values we’re looking for are: “Stack” (no canary is good) “NX” (NX enabled means we can’t execute instructions on the stack) PIE (no PIE means the binary’s functions will be at at the same memory addresses every time). The good news is that we don’t have to worry about stack canaries and if we can find a buffer overflow, then we should be able to return to any function in the program we want. ...