Unfortunately, I didn't solve it in the end. I lacked one crucial piece of knowledge and that led me down a way more complicated path instead of finding the easy solution. Was fun to participate and I'm really looking forward to the summary and analysis.https://twitter.com/MurmusCTF/status/1044628943645683713 …
-
-
I didn't know how to go from arbitrary read to leaking a stack address.

-
in which context? libc in memory?
-
Good old environ pointer :) I actually have a tool on github for situations like these where we want to find pointers to a certain memory region in the process memory. More useful for larger software, but sometimes helps in CTFs toohttps://github.com/niklasb/bingrep
-
Cool. Gotta check it. Yes so the situation was that I had base address of binary and arbitrary read and thus had libc base as well for example. Unfortunately I didn't know about the environ thing. I assumed there was a way but I failed to figure it out.
-
I also wrote https://github.com/bkth/gdb-addons for that exact purpose, especially useful for relative oob accesses.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.