Comment by stackghost
8 hours ago
These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.
8 hours ago
These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.
You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it
I don't think I've used any of these in a CTF tbh
I've definitely used one or two in the last 6 months
For what kind of challenge? Most of these are not even available in CTF environments
3 replies →
Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.
If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)
Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.
:(
Sounds super 1337 and I hope it's actually possible somehow.
2 replies →