Hi, in your writeup for Hookess challenge in MetaCTF 2021, you wrote

we probably could also have leaked the address of the bss or program base, via ld.so vars..

and overwrite a GOT entry... we left that as an exercise for the most motivated...

I wonder how to leak program base from ld.so?
Thanks

Look at this capture, when using gef extension,
you can do: scan ld.so binary

it will print you reference to binary mapping zone (exec,bss,etc..) in ld.so

like you can see, in the picture:

you can see that there are many reference to binary addresses in ld.so,

that we can leak too, to calculate program base,

and eventually overwrite a GOT entry.