Member-only story
PWN Format challenge — HTB
Format string, PIE & FULL RELRO bypass [x64]
Published in
5 min readAug 17, 2021
This is my second walkthrough referring to the methodology described here.
It will be as always:
- concise,
- straight to the point.
- without the steps that lead to the rabbit hole.
0. Download the binary:
1. Basic checks:
2. Run binary with format string as input and spot the vulnerability:
3. Disassemble binary with your favorite disassembler:
Vulnerable is printf() which should look like: printf(“%s\n”, argv[1]);
4. General overview of what is being leaked:
- (1) 6th pointer — beginning of the
printf()output - (2) 30th pointer — three free bytes which you need to keep in mind when you leak data using the
printf()function (due to stack alignment) additionally, the direct parameter access to this pointer will change depending on the amount of data passed to theprintf()function - (3) 37th pointer —
init+117address needed for calculating libc base
5. Run binary in GDB — defeating PIE:
- set a breakpoint at the
printf()inecho() - check the
init+117PIE offset (before execution in GBD) - using direct parameter access input format string
%37$pto leakinit+117address - calculate the base ELF address after a leak to bypass the PIE security
