The binary has the following mitigations:
| Mitigation | Status | |------------|--------| | NX (non‑executable stack) | Enabled | | PIE | Disabled (binary has a fixed base address) | | Full RELRO | Enabled (GOT entries are read‑only) | | Canary | Not present (no stack canary)** |
Because NX is present we cannot inject shellcode onto the stack. Instead we will perform a Return‑Oriented Programming (ROP) attack using gadgets found inside the binary and libc. ipzz281 full
The goal is to call system("/bin/cat flag.txt"). Two options:
The easier route is Option 2, because we can simply overflow the return address to point to a ROP chain that does: The binary has the following mitigations: | Mitigation
pop rdi ; ret ; load address of "/bin/cat flag.txt"
<addr_of_string>
system ; call libc's system
exit ; clean termination
| Item | Value |
|------|-------|
| OS | Ubuntu 20.04 (64‑bit) |
| Architecture | x86‑64 |
| Toolchain | gcc 9.3.0, gdb 9.2, pwndbg, radare2, objdump, readelf |
| libc | glibc 2.31 (the version shipped with Ubuntu 20.04) |
| Exploit language | Python 3 (pwntools) |
| Debugger | gdb with pwndbg / gef |
The binary is provided as ipzz281. It is not PIE‑enabled, but has full RELRO and a non‑executable stack. The easier route is Option 2 , because
$ file ipzz281
ipzz281: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, \
interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=..., \
stripped
Note: Even though the file reports “stripped”, the challenge name “full” tells us that a debug build (with symbols) is also supplied. In the write‑up we will use the version with symbols because it makes the analysis clearer.
This feature would significantly enhance the usability and value of the application it's integrated into, providing users with a powerful tool to manage their tasks more effectively.