This binary-explotation challenge has now been released over 200 days. But it is pwned only with less than 60 'pwners'. And it's indeed a fun challenge that we cannot pwn it with usual methods under its tricky design. So I don't think we should sploit this game by releasing a step-by-step writeups for script kiddies.
Many players asked me for hints that I am glad to help with some mind-breaking thoughts. In general, I would say it's stack explotation rather the heap one. For this blog, I further made a video for the challenge with a complete gothrough that you may find those hints inside the video:
It should be clear enough for those whom have made some progress but stuck at some point. Or you could leave me a message to discuss the challenge after you have made some foothold. But to be noticed, I don't intend to 'discuss' by providing a tutorial, for the pwning process could just be one of the most time-consuming challenges on HTB.
I may come back to post a complete writeup if the challenge is sploited somehow, or the game is retired someday.
Comments | 5 comments
I am tackling this challenge and think I know the exploitation technique required based on some context clues, but can’t figure out the correct exploit path to trigger it. I’ve got a good leak primitive working, I just need to actually control some memory. Are we meant to use House of Spirit?
@intenseapple No, just off-by-null and stack pivot
@Axura i know stack pivot, but the main is not return , how to set rbp to rsp?
@steata got it , off-by-null can overwrite fgets ret address.
is about double free?