Tags: pwn
Rating:
## About
When the challenge starts, it allows you to set two variables, one being the initial node
which is +40 bytes of the leak, and a second node, which is +8 bytes after the leak. We can
write up to 15 bytes of data, which gives us a limited number of options to write shellcode.
The binary itself has RWX permissions but implements PIE which prevents us from attempting ROP.
However, when returning you'll notice the RDI & RDX registers are already preset to
a. RDI => 0;
b. RSI => (ARBITRARY STACK ADDRESS);
c. RDX => 0;
Combining this with RWX permissions + read() we should be able to write shellcode and jump to it,
all within an 15 bytes.
I've written some simple shellcode under set_variables, which zeros out rax to have the read SYSCALL number,
sets RDX to our shellcode size, calls the SYSCALL, then jumps to the stack address thats been written into.
Solution [here](https://gist.github.com/realoriginal/6b59844f8da27c5d06a0c43be6c80aaa)
