No-Handouts
Ret2Libc except no shell L
Last updated
Ret2Libc except no shell L
Last updated
We have a libc function leak via system as seen here, challenge hints to no shell (/bin/sh no worky) so we will have to find alternative ways to get the flag.
We can accomplish this with the open, read, write function calls but first, we will need to find a way to write the string flag.txt onto the libc.
Since we have no stack leak and there is PIE enabled, we can consider writing to libc's .bss section and then referencing the pointer to the written address for my open, read, write functions.
Below is the following exploit flow.
Determine cylic offset to override RIP duh
Determine libc base address from leak
Write the string "flag.txt\x00" to libc's .bss data
Call libc's open, read, write functions with the right parameters to read the flag