[Pwn] No Return

Good challenge. Waiting for the last of three.

ughhh i thought this was gonna be easy as pie until i saw no pages were mapped rwx :T

Pretty nice challenge.

@ano12 said:
Pretty nice challenge.

If you need help. PM me.

I need help with the first step to expand the stack.

Hey, people…
i need a hint please.

does we need to use system (kernel) functions from vdso?
or we need to use only JOP’s from elf?

can you share some material for this exploit technique?

thank you.

ah, yes, i am be able to do infinite loop in the end of the elf. but it is waiting for “tty input”.
is this a right way?

Spoiler Removed

Could use a hint :slight_smile: trying to get s**p to work, im able to call r*_s*******n, but it segfaults right after. Am I heading the right way?

Spoiler Removed

I am totally lost. Gadget was work, but arrange the stack is painfull. Always got segfault.

EDIT: finally got it.
Learning some new technique

Great challenge .

hard to get the right JMP , but when you find it its straightforward .

What an interesting challenge.
Learned that a certain instruction behaves differently in an error case when inside a virtual machine. Managed to avoid the error and got it to work in the end.

Done & Dusted! A nice and easy challenge coming after doing those Dream Diary Challenges. Thanks to @chirality for a good challenge.

Wx

Any hint on this found the jump but nothing, I would like to discuss my idea with anyone if I’m on the right path. PM is fine with me

Complete!
Learn a lot. Thanks to the creator of this, @chirality

i solved it in a very roundabout way and feel like i’m missing something that would make this easier. if someone would like to share their solutions with me, i’d love to see them

EDIT: seen a writeup now, could’ve been solved much shorter, but i like my way better :stuck_out_tongue:

I’ve just don it.
Very interesting challenge, one from the most interesting as for me :slight_smile:
Thanks @chirality for it :slight_smile:

Can someone hit me up with some hints and nudges for this.
I have disassed the entry… and now I feel clueless and helpless :slight_smile:
Thanks!

Wow, such a cool challenge. Learned a lot along the way and the most complex I’ve done yet. I do wonder if I overcomplicated it, but if it works it works :slight_smile:

Hopefully not a spoiler, but Ghidra sort of hid something that was important for my solution, where another disassemblers like Binary Ninja did better.