Baptiste MOINE Creased

Generate symbol file:

python kernel_syms.py
as -o kernal_syms.o kernel_syms.s

Load the symbols into gdb:

Dharma.exe

This challenge is fairly simple, a first binary (dharma) drops a second one (2O3naSbh, but let's call it stage2) using a well-known in-memory loading technique (please refer to this article for details).

As this is a CTF challenge, we're looking for the shortest path to get the flag: let's just patch the binary to make it drops the binary to a common file descriptor (e.g., stdout, stdin, stderr).

Because I'm lazy, I decided to apply the following patch:

--- dharma

	#!/bin/bash
	while IFS=';' read -r USER PASSWORD; do
	echo "Creating ${USER} user..."
	useradd -s /bin/bash -d /home/${USER} -m ${USER}
	usermod -aG sudo ${USER}
	echo "${USER}:${PASSWORD}" \| chpasswd
	echo "Default password set to ${PASSWORD} for ${USER} user."
	done < users.txt

	#!/usr/bin/env python3
	import requests
	import html

	creased = 14542

	s = requests.Session()

	def get_chall_ids():
	finished = False

	from pwn import *

	context.clear(arch='amd64', log_level='info')

	LOCAL = False
	p = None

	def create_process():
	global p
	if LOCAL:

	from pwn import *

	context.clear(arch='amd64', log_level='info')

	PROMPT = b'peterpan@pwnuser:~$ '

	LOCAL = False
	p = None

	def create_process():

	from pwn import *

	# Doc: docs.pwntools.com/en/stable/

	context.log_level = 'debug' # debug/info/error/warning.
	context.arch = 'i386' # i386/x64/arm, etc.

	## OPEN SOCKET.
	sock = remote('challenges.ecsc-teamfrance.fr', 2000)
	## OR, OPEN LOCAL PROCESS.

	import base64

	from pwn import *

	context.log_level = 'info'

	PROMPT = '>>> '

	def get_con():
	p = remote('ctf.bzh', 11000)


	export TMP=$(mktemp -d)
	/bin/cat <<-EOF >${TMP}/exploit.py
	#!/usr/bin/env python
	# -- coding:Utf-8 --

	#==========================================================#
	# [+] Title: Exploitation code for Protostar format 0 #
	# [+] Author: Baptiste M. (Creased) #
	# [+] Website: bmoine.fr #