/..

#CONTENT

#TOP

#linker-as-a-service

Turing complete relocations are fun and all, but you can use them to pop a shell?

nc chal.amt.rs 1342

unvariant <-     author pwn <-   category 500 <-     points 1 <-     solves hard <- difficulty

#solution

  1. add /proc/self/exe as a dynamic dependency
    • allows the binary to be loaded at a relative offset to linker
  2. use relocations to modify linker state to get rce

#unintended

none :D