Writeup for the Nightmare CTF Challenge from 2022 DiceCTF
TLDR: One byte write, no leak.
- Infinite loop through overwrite of binaries link map
- Determination of useful rop gadget, has to fit several extensive criteria
- Partial overwrite of DT_JMPREL table pointer
- Partial overwrite of DT_STRTAB pointer
- Overwrite of LIBC link map
- Loop 2-5 until rop chain has been created
- Partial overwrite of DT_FINI_ARRAYSZ pointer
- Use 3 & 4 to call exit, to call rop chain
Prologue
This challenge was extremely difficult and I recommend reading the original author’s writeup to see how intense the intentional method is, https://hackmd.io/@pepsipu/ry-SK44pt. Now with that mentioned, I’m going to show you a method that ignores most of the primatives stated in the article and go a complete different approach that even the author thought was impossible.
