Pwnable.kr Level 1 Writeup

Just make some notes. Totally used about 24 hours.

The admin said that the writeup of other levels should not be shared...But it will not affect me yet, since I haven't do them yet ;).

collision

Just use perl

bof

Notice, the padding should be 52, not 32. And your terminal emulator might do bad things....

flag

RCE. So easy. Unpack manually and break at memcpy.

passcode

How to override fflush()?

random

Try to learn something about rand() and srand()...

input

Complex. But just try... Kind of boring.

leg

You need to see how the ARM fetch instructions. Interestring!

mistake

Time to print an priority table of C, and paste on your laptop.

shellshock

Just normal things. Nothing to mention about it.

coin1

good practice for the algo

blackjack

Another example of wrong type

lotto

try-and-fail. boring

cmd1 and cmd2

Many solutions are using PATH. But I love vim.

uaf

Block size is 0x18 bytes, so we need to free and get two 18 bytes block via the second option, which means the previous two blocks can be written. We can write a fake vTable address and modify the function pointer.

codemap

At least two available solutions:

  1. Write a debugger snippet to check parameters and return values of malloc
  2. Use "Heap Analyzer" in the Visual Studio

memcpy

If you got a SIGSEV, it might be caused by unaligned memory. Try to solve it. Notice that the management structure also took some space.

asm

Simple. Learn to use pwntools.

Looks like ptmalloc unlink. But site admin's solution is interestring.