My personal writeups for pwnable.kr.
Only Toddler's Bottle challenges are included because I didn't solve the others yet out of respect for Rule 3:
3. Challenges in Toddler's Bottle are allowed to freely post the solutions online. However, please refrain from posting solution for challenges in other categories. But if you insist, post easy ones (solved by many people) and do not spoil too much details for the sake of fun.
All examples using python refer to versions 2.* of the language. Python 3.* won't work out-of-the-box because of the way it handles encoding with utf-8.
- Do
unlinkand its writeup. - Translate to portuguese.
Suppose you are stuck but don't want to spoil all the fun.
Here are some quick tips that may help you along the way:
Read wikipedia's article on file descriptors.
Find values that result in the hash after being summed up. Remember to input the result as little endian.
Read about buffer overflows in the classic Smashing the Stack for Fun and Profit. Also, LiveOverflow's playlists are awesome.
You can't reverse a packed binary.
Read about the Procedure Linkage Table (PLT) and the Global Offset Table (GOT).
This article and this entry on exploit-db are also very enlightening.
Random values need proper seeding, otherwise they become predictable.
Read about command substitution, I/O redirection and netcat.
Learn a bit about ARM to figure out the return values. Here's a great manual.
As the site says, read about C operator's precedence to find out the mistake.
Read wikipedia's article on shellshock.
Read about binary search (for the problem) and sockets (to programatically interact with the game).
It's nothing fancy, just a common logic mistake. Try to trick the game.
It's nothing fancy, just a common logic mistake. Some very simple bruteforcing is needed (less than 50 tries).
Read wikipedia's article on $PATH.
Be creative with bash. There's more than one solution.
Read this beginner's guide on Use-After-Free and this whitepaper on Dangling Pointers.
Read about daehee's codemap plugin for IDA.
Read about the MOVNTPS instruction and Alignment in C.
Read about shellcode creation. If you feel you don't quite get the SmashTheStack article yet, read this newbie-friendly guide:
Writing 64-Bit Shellcode (Part 1) & Writing 64-Bit Shellcode (Part 2)
Watch LiveOverflow's videos on malloc()/free() & unlink() exploitation and read Exploiting the Heap.
Once upon a free() is also very informative.
Special thanks to Ingrid Spangler for introducing me to this great hobby.