Generate symbol file:
python kernel_syms.py
as -o kernal_syms.o kernel_syms.s
Load the symbols into gdb:
Generate symbol file:
python kernel_syms.py
as -o kernal_syms.o kernel_syms.s
Load the symbols into gdb:
This challenge is fairly simple, a first binary (dharma
) drops a second one (2O3naSbh
, but let's call it stage2
) using a well-known in-memory loading technique (please refer to this article for details).
As this is a CTF challenge, we're looking for the shortest path to get the flag: let's just patch the binary to make it drops the binary to a common file descriptor (e.g., stdout
, stdin
, stderr
).
Because I'm lazy, I decided to apply the following patch:
--- dharma
#!/bin/bash | |
while IFS=';' read -r USER PASSWORD; do | |
echo "Creating ${USER} user..." | |
useradd -s /bin/bash -d /home/${USER} -m ${USER} | |
usermod -aG sudo ${USER} | |
echo "${USER}:${PASSWORD}" | chpasswd | |
echo "Default password set to ${PASSWORD} for ${USER} user." | |
done < users.txt |
#!/usr/bin/env python3 | |
import requests | |
import html | |
creased = 14542 | |
s = requests.Session() | |
def get_chall_ids(): | |
finished = False |
from pwn import * | |
context.clear(arch='amd64', log_level='info') | |
LOCAL = False | |
p = None | |
def create_process(): | |
global p | |
if LOCAL: |
from pwn import * | |
context.clear(arch='amd64', log_level='info') | |
PROMPT = b'peterpan@pwnuser:~$ ' | |
LOCAL = False | |
p = None | |
def create_process(): |
from pwn import * | |
# Doc: docs.pwntools.com/en/stable/ | |
context.log_level = 'debug' # debug/info/error/warning. | |
context.arch = 'i386' # i386/x64/arm, etc. | |
## OPEN SOCKET. | |
sock = remote('challenges.ecsc-teamfrance.fr', 2000) | |
## OR, OPEN LOCAL PROCESS. |
import base64 | |
from pwn import * | |
context.log_level = 'info' | |
PROMPT = '>>> ' | |
def get_con(): | |
p = remote('ctf.bzh', 11000) |
export TMP=$(mktemp -d) | |
/bin/cat <<-EOF >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 0 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # |