Type your comment> @roowashere said:
Type your comment> @roowashere said:
Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.
(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)
I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…
I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.
Any hints? (No solutions please, just a small push in the direction to look.)
$ id
uid=1007(memo) gid=1007(memo) groups=1007(memo)
$ hostname
jetJesus. That was a ■■■■ of a ride and definitely ‘a little outside of my abilities’.
The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.
Couldn’t have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.
its been a ride for me too. I started this box about a month ago and still doing it 
I found out that there was a huge gap in my skill set for:
++ python coding / programming (the gap has shrinked but is still there but I have signed up on some udemy course of python for networking and pentesting, need to finish and practice those too).
++ buffer overflows (spent great amount of time learning about those, very interesting but when I started originally, it took me 2 days just to get head around and then it started flowing)
++ heaps — again, mind boggling to start with and I am sure come next challenger, I will have dig my notes again but its there at the back of the mind.
++ still got to solve elasticity but not got chance. I was rushing to get Patents user/root but completely forgot and now its retired and on top of that, there’s a new Fortress to look into.