[Pwnable] Dream Diary

_py · October 9, 2017, 1:31pm

Let’s step up the game.

###Description

Note down your dreams in your diary. Who knows, dreams come true and you might get a shell!

###Rules

ASLR on.
Make sure your malloc’s version is the latest. I know its mitigations so don’t try to fool me.
If you’re getting crashes, consult this.
Only a detailed analysis of your exploit + PoC are accepted as valid solutions (don’t forget to use the spoiler tags). Half-assed explanations never showcased mastery.

###Binary

pwn me

Or:

base64 -d thebelow | gunzip > pwn

H4sICMPZ4FkAA2RyZWFtZGlhcnkA7VprcBPXFb6S5QcvWQSTmkfidQaogVixjfEY0oJkLFi35m3T
B3XktbXCIrLkSCuwGR4mClCNcao0nQydtjNkkh+ZaWeaH8yEpg02geC0ZDrQaZnpNDOhrWEkDAwN
lLq2QT1n915p98YK5E9/+XhW557vPO49Z+/e3fXdQ67G9WaTiTAykzUEpXi+Q5UdFH+3NG0CWC2Z
Br9PkYUkD+RcnZ2DOAx8lIZmvIDa5cBhgaPWrMm1ZoeBL6R2jJt0PJfoyWHgn84mBk6IkPbDsdqe
1lDb060G3kXHUZFj9DNTvzLqV0btGb9EB3aJy89CjyYat4nmxXg9tavX2SNtuaZ4sH2+UJPPFzoM
3EPtPJzfVvDLI49PNsq30f6y1eUOzYtxdh6e8/vaaqqf83vK/b5ApLu8u7amvKbaHg7aq9Qx2ajt
hk3Nqj2ro0DHXES0OYB6959y3/vtzdd63piz6o3qN49d/sNLf38LdbNI5rwRk0B6TTYzYlY6hqVP
HV/obZZsqz7vY9PkCxSG44ks+U+Gr8iCz82CP5sFX50Fl7Lg3YTNOCOtz2L/vSx4UxZ8RhZ8LRyz
yXzSK7SqMpu/Syge5/CNFD/J4QTmQzue/hoid/sU0hVRwsTtDitS+4vu9o4X3V7J5ydhxeMLkK6Q
L6B4QQj55QAJyZIHFcGIQjolvz/YjpIcChFJCfpIWFb2tEW8EAt7wIAhxd0pQRhvSJYB3tUZDFDY
TTY0NtStc1fZq9OtKvtKHJ5Z/cuhnMnmtGyCX5xr7Loo8vlm4Qw9RrHIfN809HqN6kdLtPzz9DUA
YnXENWqWDo/rcKsOP6nDC3V4McXzSeaaQxJ0uFmHl+nwHB1eocMtOrxWh+vXU4cO168nog7P1+Fb
dPg0Hf5dHT5dh7fq8Bk6vEOHz9T3G71ZIPblbpwnEPHIoJKbuKiC5wvOafrUyjpQpRbXw29hiQNa
KHegKnk1BbR4NcpYwuQlVa5CGUuXHFTlZShjyZLvqvIzKGOpkidVeT7KWKJkXJWfQBlLk+xV5eko
47CTXapsRhmnRLJVlceKQcbSJLeo8ucoY0mSDlUOgeyNs3wrbzXELr8gxv4hRofvbGlqGBokVgcR
h87GZyEbOjzTQRJ7we+et7AEbh6nj0HhmsVynHdidNQqxq7tWXBarRyUa3bLACpSV8H4FTV+yzms
ktfO5DO9qv/h22qAsw9zIIAYuyOeTawVTRfEyw+VueloM1i0whKIo/Xf+00Jxk8is5vBMRGAgbVc
yN0EkOmu2tOA8DQObC2J5I68Dn7pYP9Ch9SlluQ+8MH2QDEkmmh8mEoNOLBVh60ObNViK44tO7ZO
Y2sRtq5iaz62CuD2mLClPfKwtRQwtbvE10GMt5zDXmA+CWLsQEKMRa6Kfc1wuKB9YUC1KwS7mGsi
emCCHCoaKMeYv3sAkfA8qeOJ/z4dxCP2WRaXYTIx12jl4JDrDoa44LpHxH7XnfctqobGfe8Bxr0Z
PXAzHdeTjnsDWugixoYSf8R238ZRj7hiphocJvz3AcvarUj7HXINq1P+I/jpcw2LJ8Dso0E8pUcG
C4/8EtCBVelyFNMez+SpcYYS/3yYGcK3UXkCoie00gwl5iES+1ALGytSw/J9RIoGnJhW/wRLaw4m
uDnd59ugMDr1NUP0K9iBB8/WDnTfBFYj86KuYVP0wHBh4auVEGnAjZpq0MRhRFgaCyvN2onHKM1A
MD2IkgktT+PZmTeRyX7jBJ6pYeiddOfhGA7OHNiL/Z8ah5F18mkrW4wIRPjZOFbLldDl/s549tw7
sExHsYdt2MOMgePYXj8+SbZbx79atpXjk2W7fDyTrXs8PS8x25vpbC+MwVg297luGrOtMiIQoX8M
U0NwSAPVMaj5vDym5vNzbO8ZmySfw2O6fGxZ8oG1/69zBPIbbL+Pq/YZQiftj8fwWsm9OLlW0bQf
TK7dAVqtSC9PWqS8sUyRVkM7OmpWFsHPofzoqEmxjqyOjuYoJdFRi7JkxK4F2olTt1xr74aTOlKq
tXFBG5mrhU39F072KSyIDK14sgemd2YpVtdT53ecO5yxlLPZ2dTYvzhgE2Bx7i9Hvr0hdr8h9pfG
pdfUe+LZBzmJz0ZhmEduKULl31iQxtiNxtj9eoiQKvpUjJ4ziatGIjfwhrmzxfkDZ4vzBaf7XDzT
6d1z9B5Lb6km+lQxfXn5l9Jyer/aLzCqhwe5TqHeJ4V60piwn93XHjMcxNtZ2SI48TFQUmSBp/06
u6oWweXxKV+w4e1WtAj1sl+eJJrRrhridWeNt2aNQLbBo6oAT6bBUCmZvt23T14tkI3qIytD6yVF
AnB7pL1dDodLSVMwKHRKgR4hEFRkkBsCHrkbDDZHFCHoFdqCkYAH4PpgQC4lm4JCs3O94A2GhJ5g
RJXhqbjNL5fjo24Gbwjskfw+j9DeEfS1g59pQc7zeOXh89TE/VTqV8A/+U8qhcl9CFPkz8DLYMLd
A94JvAiehoaBVwNPwexuAn4LrgMF+AcwjX8C/BOYwqeAfwOm74RJe19DMu3bRkzdNtOCmfkFcVO+
DXF8+RKhv2UkQ5PbE7KI2cM4B9HAaltvLf5W4Yy9Bb1k7fznl61Y9AyhNvhufB3iehFwWm1Hzetm
5ZkliKTp8R34WcjPZdA70nqc4VtBv9egD6X1b8PxDugXmHT6nCdNaID683C8BXW6bfBPpv3xlvsS
1O+SQX8xrbdA3FKoK9HHp3XB3BYBboN6ywjUWW0/MtdZi1/NcVmFfkudtex4rmitOJonWmuj+Rut
jpC11mmtcFrL6qwC2IF9nbVArbMf4tRCHP37wBRN0RRN0RRN0RRN0RRN0RRN0aOotcChcgfljEwc
Z/+jP5mn2bG9DotVk+dRme0jLqAy2yuZT3kx1S/k9P9+mAoiP2HW4rE9CtGiyew96mOqZ3sMv6Cc
7S0UUz6XGCmzzav1z96dCmiC7P2V7XV8jfITuQ4DXktlNu5WytleCOsfXqPVfAqofYrKrJ53qHyd
5vf/IraPzdMVel6vU36f8jz6XcCTlC+hvIby9ZTvoNxL+R7Kedqwbt1qoay5LRJQIsJKe7W9orwm
okqVBytr7BXV9uqlGi5UVVTWVNRUrCLEHu4IKyFFaiN2X0CRQ13Ejv9fsTvrGsoVaReVdgUi9raI
z+8p93mIKnVI4Q5i9/QEwj2dGldCmmaPHAr7ggGD4AZdSPZLaEhbXX4Fu/TBLzTtu4LQUORu+PUC
CkZBj6RIxC53uL0hqVN2d3hCGUlzdUuhkNSjebD27vaQOh6p09dOMKzWkxasLRwm9vZgZ6ccUL76
CeYIrwucc2y+Z7670GR+I93EyXOIce8x812DJgucvYWTSzl/hforFFj0CP9qOO7DtcL82fpwgn2/
QXG2Xuj3ZpHWEK0GzJ+tHx9ToJcmjOuLSefPrmPcj8/R+bP1SKQDZesPI75+m4h27TN/dr1fp/4C
N34zx3cSbS1Jr1ds/aEOLH9+/Ix2E62m6fNP/WupfyvXP5+/Qv3rqMzWwxPUga2fudSH9z9IdN90
kMz94yQF2H2BEX/+ezj/Qeo/SIFBzt7G8Vc4/166LvXSBZ2vFy/3c/7sO6k49Q9xH+HYjCJ5nfNn
90sL/ShgGmfP5/9TYrx+bdTfRv1PcROOH/+bnH/m+yJN9nD2fP+/5vzLbA7KH69/3IzBobL7b+Z7
o8nteRk3OAt1/uz5ofgx/S/T8TN/gfoLj+l/hWjnjvlnvgfT5Eu69UPvz+bBD7n+2XckoyVf3j/j
n3H+7PmFLRxdj/BPcP5d1L9LMI6T92d0m2LMn33v0kv9Bzl7gZPv0v4rOJz5V3M4/9xpyF1Hp6j/
RBZ/Rv8Dz2/Er/AoAAA=

~ hf

Sirius · October 9, 2017, 3:45pm

Clickbait title, came here looking for py’s actual dream diary, all i got was a pwnable binary.

10/10 would get trolled again.

_py · October 9, 2017, 3:48pm

Tags:

binary
challenge
pwning
exploitation
linux

Sirius · October 9, 2017, 3:52pm

@Suser tasked me with helping him pwn the way to your heart. I need those intimate details.

exploit · October 9, 2017, 5:37pm

I’ll check it soon!

exploit · October 9, 2017, 8:56pm

[spoiler]

[/spoiler]
Got it!

_py · October 9, 2017, 9:12pm

Congrats you pwning beast! First blood as always

+1 for pwning it (slightly) differently than I did

_py · October 19, 2017, 5:02am