Alright, folks, let’s dive into my little adventure with “ez pawn hunter.” I gotta say, it wasn’t some grand, planned-out project. It was more like, “Hey, this looks kinda interesting, let’s poke at it.”
Getting Started
So, first things first, I needed to figure out what this “ez pawn hunter” even was. I did a little bit of searching to get a general idea. The name itself gave me a clue, something about pawning and maybe some kind of vulnerability.
I found the challenge, downloaded whatever files were provided. Usually, these things come with some source code or a binary, or maybe even a website to interact with.
Poking Around
Once I had the files, I start exploring this program.I opened it up, ran it, see what it did. I clicked buttons, entered some random text into input fields, just generally messing around to see how it behaved. The basic stuff.
Then, I started looking for anything that seemed… off. You know, weird error messages, unexpected crashes, anything that hinted at a potential weakness. I also did this command to list functions:
bash
nm -D ./filepath
I found these functions are exist:
- do_system
- do_nothing
- do_more_nothing
Sounds fishy, huh?
Digging Deeper
I suspected that this program had some hidden vulnerabilities.I used objdump tools to try and find them. I try to enter more data to check if I can reproduce an error.
After some testing,I’m pretty sure I found the vulnerability,I can execute do_system functions with write() overwrite function!.I write the exploit using python pwntools, I use the following gadgets:
pop_rdi_ret = 0x0000000000401453
ret = 0x000000000040101a
Crafting the Exploit
I crafted some special input, designed to trigger the vulnerability and give me control. This often involves overflowing buffers, using format string bugs, or other clever tricks. I also used cyclic and gdb to find my offset.
I try to use cyclic command like below to find offset:
bash
./cyclic 200
Then I try to debug with gdb-pwndbg,I finally find the offset is 72,so I write an exploit.
After a few attempts, I found a working exploit!.I put it all together and ran my exploit. Boom! I got a shell, meaning I had successfully taken control of the program.
The Finish Line
Finally,I tested my exploit locally, it worked. And I get the flag.I did it!It might not have been the most elegant solution, but hey, it worked!
That’s the story of my “ez pawn hunter” journey. Just a lot of trial and error, a bit of luck, and the satisfaction of figuring something out. Remember, it’s all about persistence and being curious enough to keep digging!
