| from pwn import * | |
| context.clear(arch='amd64', log_level='info') | |
| LOCAL = False | |
| p = None | |
| def create_process(): | |
| global p | |
| if LOCAL: |
| #!/usr/bin/env python3 | |
| import requests | |
| import html | |
| creased = 14542 | |
| s = requests.Session() | |
| def get_chall_ids(): | |
| finished = False |
| #!/bin/bash | |
| while IFS=';' read -r USER PASSWORD; do | |
| echo "Creating ${USER} user..." | |
| useradd -s /bin/bash -d /home/${USER} -m ${USER} | |
| usermod -aG sudo ${USER} | |
| echo "${USER}:${PASSWORD}" | chpasswd | |
| echo "Default password set to ${PASSWORD} for ${USER} user." | |
| done < users.txt |
This challenge is fairly simple, a first binary (dharma) drops a second one (2O3naSbh, but let's call it stage2) using a well-known in-memory loading technique (please refer to this article for details).
As this is a CTF challenge, we're looking for the shortest path to get the flag: let's just patch the binary to make it drops the binary to a common file descriptor (e.g., stdout, stdin, stderr).
Because I'm lazy, I decided to apply the following patch:
--- dharmaGenerate symbol file:
python kernel_syms.py
as -o kernal_syms.o kernel_syms.sLoad the symbols into gdb: