Magic Scrolls — HTB Challenge

Info

Category: Pwn
Difficulty: Hard

Introduction

Magic Scrolls is a heap exploitation challenge implementing a "spell management system" with create, remove, read, set-favorite, and update-magic-number operations. The vulnerability is an out-of-bounds write through the magic number update feature, which corrupts heap chunk metadata and internal pointers. This single primitive is escalated through a classic four-stage modern glibc exploit chain: heap leak, libc leak via unsorted bin, stack leak via environ, and finally tcache poisoning to write a ROP chain directly onto the stack.

The challenge exercises the canonical heap exploitation methodology for glibc 2.37+ with tcache safe-linking, requiring careful XOR key management and precise heap layout control.

Vulnerability Analysis

Program Structure

The binary manages an array of "spells" (heap-allocated buffers) and a separate "magic number" array. The key operations:

create_spell(data): Allocates a heap chunk and stores user data. The size varies by input length.
remove_spell(idx): Frees the spell at the given index.
read_spell(): Reads and displays the "favorite" spell's content through a stored pointer.
set_favorite(idx): Sets a spell index as the favorite. Can only be called once.
update_magic(index, value): Writes a user-controlled integer value at a user-controlled index in the magic number array.

The OOB Write

The update_magic function writes a 64-bit value at an attacker-controlled index into the magic number array, with insufficient bounds checking. By choosing negative indices or indices beyond the array bounds, the write reaches into adjacent heap metadata, including:

Chunk size fields
Tcache fd/bk pointers