Difficulty: easy

Category: pwn

Author: xnull

Description:

### Use After Free Bug

This program manages users. There is a use after free vulnerability that allows you to escalate privileges.

Can you trigger the bug to call the admin function and get the flag?

**Access:** Connect to the binary with `ncat --ssl [host] [port]` or use pwntools.

Scenario:

===== User Management System =====
1. Create user
2. Delete user
3. Create admin
4. Use user
5. Exit
Choice:

Solution

We do the following steps:

Create user (writes user to slot 0; sets current user to 0)
Delete user (deletes user from slot 0)
Create admin (writes admin to slot 0)
Use user (uses slot 0)

This is equivalent to entering 1-4 and pressing enter.

Flag: ENDLM{e91a96da8fc0d94838a0e43b81a7e10dfbcf9a926d1d9f39}

Scenario:#

Solution#

Scenario:

Solution