Fusion Level02- There is xor encryption with random value. First getting xor table.- just ROP!. leaking write() address and get system() address with 'offset'.- i just use system(). There is another way to get shell. execve()- Using execve() would be mo..
Fusion Level01 - Still NX is disabled but ASLR is on. - Now, we can't get buffer address from binary. - All u need is 'jmp esp' gadget 1234567891011121314151617from pwn import * # dup2(0, 0) + dup2(0, ..
Fusion Level00- There aren't any memory protections even NX. So i just use shell-code.- That service is on port 20000. and be careful at 'fd'.- In fix_path(), There is stack buffer overflow vulnerability.- RET -> 140 ~ 143 123456789101112131415161718..
SolutionsLevel 00 1234567level00@nebula:~$ find / -perm -4000 -user flag00 2>/dev/null/bin/.../flag00/rofs/bin/.../flag00level00@nebula:~$ /bin/.../flag00Congrats, now run getflag to ge..