Drak's personal information security blog

Dead or Alive was a hard Pwn challenge which composed of UAF bug inside a heap note type application. Bug was very similar to the Prison Break challenge, but without a Copy operation. Glibc present was pretty new (2.35) which means no hooks were available. I resorted to executing code by utilizing exit_funcs overwrite.

Prison Break was a classic vanilla heap note Pwn challenge with UAF bug. I had to leak libc addresses off the heap to acquire __free_hook address which could then be overwritten to system.

Reconstruction was very easy Pwn challenge, which contained a custom RWX region and arbitrary shellcode execution. This shellcode was allowed to only have certain bytes and the main purpose was to essentially set certain registers to exact values.

Recruitment was an easy Pwn challenge which included leaking from uninitialized variable and overflowing on the stack. As for RCE there was only 6 bytes of overflow on the return address, which essentially meant I had to resort to one gadget ROP.

In this post we will have a look at Hack the Box pwn challenge called Auth-or-out which was all about custom heap allocator and it’s exploitation.