Tags: 2020 give_away_2 pwn sharkyctf
Rating: 5.0
# SharkyCTF – Give away 2
* **Category:** PWN
* **Points:** 293
## Challenge
> Make good use of this gracious give away.
>
> nc sharkyctf.xyz 20335
>
> Creator: Hackhim
>
> Attachments :
> > binary : give_away_2
> >
> > shared library : libc-2.27.so
## Solution
we run the binary and it gives us a give away :
(this time we have a 64bit one)
![screenshot1](https://github.com/0d12245589/CTF-writeups/raw/master/2020/SharkyCTF/PWN/Give_away_2/images/screenshot1.png)
lets find out what is this give away ?
we disassemble using binary ninja :
![screenshot2](https://github.com/0d12245589/CTF-writeups/raw/master/2020/SharkyCTF/PWN/Give_away_2/images/screenshot2.png)
we see that the give away is the address of the main function hmmm, what can we use it for ?
well first we need a leak from the GOT table to be able to ret2libc
so i found i ROP gadget that pops rdi and returns so we let it pop the printf@got address (cuz we have the address of main so it is easily obtained)
after that we jump to the printf call in main so we can get the printf address in libc using the same format string "Give away: %p\n"
so after this call it continues in the main function and calls vuln again so we can send another payload
SWEEEEET!
so the after we have the printf address in libc we calculate the libc base address easily
then we do a regular ret2libc attack by poping rdi = binsh and calling system and we're done yaay!
but no... it worked only locally :(
so for some reason I just recalled system again with the binsh arg and it worked fine XD
let me know why in the comments
oh yes forgot, my script is here : [solve.py](https://github.com/0d12245589/CTF-writeups/tree/master/2020/SharkyCTF/PWN/Give_away_2/solve.py)
THE FLAG :
```
shkCTF{It's_time_to_get_down_to_business}
```
> P.S : 3MIN3M D4 G047.