[NJCTF 2017] syscallhelper(pwn 600) write-up

Categories Uncategorized

This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.

The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.

There are many ways to exploit the vulnerability and we choose the following one


  1. add a syscall with negative number of registers and hijack the vtable to a stack position.
  2. input shellcode using the leave notes function
  3. call the hijacked function pointer


No Comments

Leave a Reply