Pwnctf binary Writeup

kazma 成大資安社 創辦人/社長
  2023-12-21 14:43:42 2023-12-21 14:43:42 Created   2023-12-21 15:04:48 2023-12-21 15:04:48 Updated    

binary

這題有三個階段,分別輸入特定的值就可以開 shell,首先 stage1:

s1

注意前面兩個是 je,最後一個是 jne,所以這邊要送 0x100001,再來 stage2:

s2

這次要送三個值分別是:0x64,0x100,0xfaceb00c,接著就到 stage3:

s3

這次他要問的是 im_a_global_variable 的位址,那就是 0x60107c,以上資訊整理成 exploit.py,順便把 BytesWarning 關掉:

1
2
3
4
5
6
7
8
9
10
from pwn import *
import warnings

warnings.filterwarnings("ignore", category=BytesWarning)
r = process('./binary')

r.sendline(str(0x100001))
r.sendline("{} {} {}".format(0x64, 0x100, 0xfaceb00c))
r.sendline(str(0x60107c))
r.interactive()

result:

1
2
3
4
5
6
7
8
9
10
11
12
└─$ python exploit.py
[+] Starting local process './binary': pid 304980
[*] Switching to interactive mode
Stage 1
Stage 1 completed
Stage 2
Stage 2 completed
Stage 3
Stage 3 completed
Congrat! Here is your shell!
$ cat flag
BreakAllCTF{A_g00d_h4cker_15_f4m1liar_w1th_b1n4ry_5ystem}

Pwned !!!

  • Title: Pwnctf binary Writeup
  • Author: kazma
  • Created at : 2023-12-21 14:43:42
  • Updated at : 2023-12-21 15:04:48
  • Link: https://kazma.tw/2023/12/21/Pwnctf-binary-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf binary Writeup
  1. binary