This is a writeup for tyro_infoleak1 which was the first part of a 3 part challenge involving, as the challenge name suggests, info leaks.
Ignoring the challenge description, we can download the binary and run checksec on it to determine which memory protections it is compiled with.
When we run the program, we are presented with the following
Basically, this program provides us with 2 functions: the ability to perform a relative read, and the ability to perform an absolute read.
All this basic block does is ask the user to specify an offset, which it uses to calculate the address located at that offset from a local variable, i, and prints out 4 bytes of whatever data is stored there.
The Absolute Read code path simply asks the user to specify an address to read from and prints 4 bytes of whatever data is stored at the specified address.
So, we have both a 4-byte relative infoleak primitive as well as a 4-byte absolute infoleak primitive.
If we take a look at the preceding initialization code, we can see how we can leverage these two primitives to leak the contents of the flag.
We can see that when the function is initialized, a chunk of memory is requested and allocated on the heap via malloc(0x100), which is subsequently used to store the contents of the flag after calling read().
We can use our relative infoleak primitive to first, leak the address of the malloc()‘d heap chunk, and then use our absolute infoleak primitive to leak the contents of the flag 4 bytes at a time. The following script achieves this.