Category: pwn
Author: R3D
Beth had to always write down every move in order to later analyze and improve her game.
We took care of the analysis part. Our software analyzes your moves to help you improve as fast as possible.
150
Reveal Spoiler
- It provides an information leak opportunity when the
move.color
pointer is overwritten and the album name is printed. - It provides a write what where primitive when the
move.color
pointer is overwritten and input is provided to the second prompt.
- Leak the address of puts@got
- Get EIP control
- Identify libc and gather offsets
- Overwrite puts@got with system
A solution that performs the above steps is provided in sol.py
Run against local docker container
python2.7 sol.py HOST=localhost
Run against CyberRanges (IP might change, so adjust the value of the HOST
parameter))
python2.7 sol.py R HOST=192.168.125.11
Run against local binary
python2.7 sol.py