PWN::Swordmaster
Solution:
- Getting the flag for this challenge requires the exploitation of 3 bugs. First, we can leak the base address of libc with a format string vulnerability. Next, we can obtain the base address of the heap with a Use-After-Free (UAF) vulnerability. Finally, we can corrupt the top chunk of the heap’s metadata, allowing us to execute a “House Of Force” attack, overwriting __malloc_hook with system and obtaining a shell.
- Full Write-up on my blog