Tags: buffer-overflow pwn rop 

Rating:

# BaseX, 300p, exploit

> BaseX stores datas from stdin into a buffer.

The binary was allowing us to write arbitrary data to arbitrary offset from
stack (simple buffer overflow). A complication was that we had no echo, which
made debugging the exploit harder. In the end, we ROP-ped to gadgets, overwriting
`fread` GOT entry to `system`'s, then jumped there with crafted command string.

Original writeup (https://github.com/p4-team/ctf/tree/master/2018-03-30-nuit-du-hack/basex).