Our horoscope developers have pivoted to a more security-focused approach to predicting the future. You won’t find breaking into this one quite so easy!
nc sechoroscope.sdc.tf 1337
By green beans
dbg.getInfo, there is
0x8c-0x70 = 0x1c long buffer over. Although it is very small. It still allow us to do a stack pivot.
- overwrite rbp to writable memory page, jump
dbg.getInfoagain, but skip callee prologue so that rbp stay the same.
- write payload (leak libc address and return to dbg.getInfo) to current stack frame
- double leave ret, point rsp to our payload
- write ropchain for calling system("/bin/sh") to get shell
from pwn import *