Tags: 2020 give_away_2 pwn sharkyctf 

Rating: 5.0

# SharkyCTF – Give away 2

* **Category:** PWN
* **Points:** 293

## Challenge

> Make good use of this gracious give away.
>
> nc sharkyctf.xyz 20335
>
> Creator: Hackhim
>
> Attachments :
> > binary : give_away_2
> >
> > shared library : libc-2.27.so

## Solution

we run the binary and it gives us a give away :
(this time we have a 64bit one)

![screenshot1](https://github.com/0d12245589/CTF-writeups/raw/master/2020/SharkyCTF/PWN/Give_away_2/images/screenshot1.png)

lets find out what is this give away ?

we disassemble using binary ninja :

![screenshot2](https://github.com/0d12245589/CTF-writeups/raw/master/2020/SharkyCTF/PWN/Give_away_2/images/screenshot2.png)

we see that the give away is the address of the main function hmmm, what can we use it for ?

well first we need a leak from the GOT table to be able to ret2libc

so i found i ROP gadget that pops rdi and returns so we let it pop the printf@got address (cuz we have the address of main so it is easily obtained)

after that we jump to the printf call in main so we can get the printf address in libc using the same format string "Give away: %p\n"

so after this call it continues in the main function and calls vuln again so we can send another payload

SWEEEEET!

so the after we have the printf address in libc we calculate the libc base address easily

then we do a regular ret2libc attack by poping rdi = binsh and calling system and we're done yaay!

but no... it worked only locally :(

so for some reason I just recalled system again with the binsh arg and it worked fine XD

let me know why in the comments

oh yes forgot, my script is here : [solve.py](https://github.com/0d12245589/CTF-writeups/tree/master/2020/SharkyCTF/PWN/Give_away_2/solve.py)

THE FLAG :
```
shkCTF{It's_time_to_get_down_to_business}
```

> P.S : 3MIN3M D4 G047.

Original writeup (https://github.com/0d12245589/CTF-writeups/tree/master/2020/SharkyCTF/PWN/Give_away_2).