You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it
replyI don't think I've used any of these in a CTF tbh
replyI've definitely used one or two in the last 6 months
replyFor what kind of challenge? Most of these are not even available in CTF environments
replyI've used them for pwncollege CTFs but pwncollege is way below your level (I've seen some of your write ups before).
replydeleted
replyHuh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.
replyIf you have /proc available, you don't even need to disable ASLR (all mappings are available to you)
replyHey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.
reply:(
replySounds super 1337 and I hope it's actually possible somehow.
Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:
reply $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...