These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.

▲ mpeg 6 hours ago | parent | next [-]

You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it

▲ saagarjha 7 hours ago | parent | prev | next [-]

I don't think I've used any of these in a CTF tbh

▲

stackghost 6 hours ago | parent [-]

I've definitely used one or two in the last 6 months

▲

saagarjha 6 hours ago | parent [-]

For what kind of challenge? Most of these are not even available in CTF environments

	▲	mna_ 6 hours ago \| parent \| next [-]
		I've used them for pwncollege CTFs but pwncollege is way below your level (I've seen some of your write ups before).
	▲	5 hours ago \| parent \| prev [-]
		[deleted]

▲ dominicq 6 hours ago | parent | prev [-]

Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.

▲ PhilipRoman 6 hours ago | parent | next [-]

If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)

▲ stackghost 6 hours ago | parent | prev [-]

Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.

▲ dominicq 6 hours ago | parent [-]

Sounds super 1337 and I hope it's actually possible somehow.

	▲	aa-jv 6 hours ago \| parent [-]
		Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of: `$ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...` See also: DDExec https://github.com/arget13/DDexec